AWS Security Hub integration
Threat Detection events from Sysdig Secure for cloud can be integrated in AWS Security Hub, so they also appear in its findings feed.
To activate this integration, follow these steps:
1. Enable AWS Security Hub
To enable AWS Security Hub, visit this link in the same region that you have deployed Sysdig Secure for Cloud, click “Go to Security Hub”, and then at the end of the next page, click “Enable Security Hub”.
2. Accept findings from Sysdig Secure
In Security Hub, click on “integrations”, search for “Sysdig Secure for Cloud”, and click “Accept findings”
In the next screen, click again on “Accept Findings”
3. Enable AWS Security Hub in the configuration file
To enable the AWS Security Hub integration, look for the S3 bucket with the Sysdig Secure for cloud configuration named
sysdig-cloudvision-s3configbucket-XXXXXXXX and edit the
cloud-connector.yaml file to remove the commented lines for the integration. You also have to change the region id of
us-east-1 in the
productArn for the region where you have deployed Sysdig Secure for cloud.
notifiers: - cloudwatch: logGroup: Sysdig-CloudVision-CloudConnectorStack-KTOYERFV4BFH logStream: alerts # - securityhub: # productArn: arn:aws:securityhub:us-east-1::product/sysdig/sysdig-cloud-connector
To do so, you have to download the
cloud-connector.yaml file to your computer, change it, and upload it to the bucket with the same name, so it overwrites the existing one.
4. Restart Sysdig Cloud Connector to load the new configuration
You have to restart the Sysdig Cloud Connector component so it takes the new configuration into consideration. Visit the ECS section in AWS console website, and click on the cluster named
Sysdig-CloudVision-ECSFargateClusterStack-XXXXXXXX. Then click on the “Tasks” tab, click the checkbox besides the
Sysdig-CloudVision-CloudConnectorStack-XXXXXXX task and click the “Stop” button. Wait some seconds and click on the “Reload” icon to see a new equivalent task being created, now with the updated configuration.
That’s all! Wait some minutes for AWS to complete routing the findings, and CloudTrail detections from Sysdig Secure will start appearing in the “findings” section.
When you click on a CloudTrail finding, you will see the details associated with it, like rule triggered, service affected, user that executed the command, its IP address, etc.
Although you may have CloudTrail enabled for more than one AWS region, you have to visit Security Hub in the same AWS region you have deployed Sysdig Secure for cloud, then you will see there all findings, with an indication in details to the AWS region they belong to.
Continue to next sections
Ready to learn more about all of the security capabilities?
➡ Visit the Threat Detection based on CloudTrail section.
➡ Visit the Cloud Security Posture Management and Compliance section.
➡ Visit the ECR Image Registry Scanning section.
➡ Visit the Fargate Image Scanning section.
Please visit any of the following sections for more information: