You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/integrations/cloud-logs/README.md
+51-11Lines changed: 51 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,12 +3,36 @@
3
3
This Module creates the resources required to send CloudTrail logs to Sysdig by enabling access to the CloudTrail
4
4
associated s3 bucket through a dedicated IAM role.
5
5
6
-
The following resources will be created in each instrumented account:
6
+
The following resources will be created based on the deployment scenario:
7
7
8
-
- An IAM Role and associated policies that gives the ingestion component in Sysdig's account permission to list and
9
-
retrieve items from it.
8
+
1. For single-account deployments:
9
+
- An IAM Role in the account with permissions to access the S3 bucket directly
10
+
- SNS Topic and Subscription for CloudTrail notifications
10
11
11
-
If instrumenting an AWS Gov account/organization, resources will be created in `aws-us-gov` region.
12
+
2. For organizational deployments (same account):
13
+
- An IAM Role in the management account with permissions to access the S3 bucket directly
14
+
- SNS Topic and Subscription for CloudTrail notifications
15
+
16
+
3. For organizational cross-account deployments:
17
+
- A CloudFormation StackSet that deploys an IAM role directly in the bucket account
18
+
- The role in the bucket account allows Sysdig to access S3 data directly
19
+
- SNS Topic and Subscription for CloudTrail notifications
20
+
21
+
Additional features include:
22
+
- Support for KMS-encrypted S3 buckets by granting the necessary KMS decryption permissions
23
+
- Support for AWS GovCloud deployments
24
+
25
+
## Important Notes for Cross-Account Access
26
+
27
+
When using this module with organizational cross-account access (where CloudTrail bucket is in a different AWS account), the module automatically deploys a StackSet to configure the role in the bucket account.
28
+
The StackSet deployment requires appropriate permissions in the organization. The deploying account must have permission to create and manage StackSets in the organization.
29
+
30
+
### Working with KMS-encrypted S3 buckets
31
+
32
+
For KMS-encrypted S3 buckets, this module configures the necessary decrypt permissions on the IAM role. When using KMS encryption:
33
+
1. Provide the KMS key ARN using the `kms_key_arn` variable
34
+
2. For cross-account scenarios, specify the bucket account ID using the `bucket_account_id` variable
35
+
3. Ensure the KMS key policy allows the created role to use the decrypt operation
12
36
13
37
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
14
38
@@ -18,14 +42,16 @@ If instrumenting an AWS Gov account/organization, resources will be created in `
|[aws_iam_policy_document.assume_cloudlogs_s3_access_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)| data source |
42
73
|[aws_iam_policy_document.cloudlogs_s3_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)| data source |
43
74
|[aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity)| data source |
75
+
|[aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region)| data source |
44
76
|[sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity)| data source |
45
77
|[sysdig_secure_tenant_external_id.external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id)| data source |
78
+
|[sysdig_secure_cloud_ingestion_assets.assets](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_cloud_ingestion_assets)| data source |
| <aname="input_sysdig_secure_account_id"></a> [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id)| (Required) ID of the Sysdig Cloud Account to enable Cloud Logs integration for (in case of organization, ID of the Sysdig management account) |`string`| n/a | yes |
53
-
| <aname="input_folder_arn"></a> [folder\_arn](#input\_folder\_arn)| (Required) The ARN of your CloudTrail Bucket Folder |`string`| n/a | yes |
54
-
| <aname="input_tags"></a> [tags](#input\_tags)| (Optional) Name to be assigned to all child resources. A suffix may be added internally when required. |`map(string)`| <pre>{<br> "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
55
-
| <aname="input_name"></a> [name](#input\_name)| (Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning |`string`| sysdig-secure-cloudlogs | no |
86
+
| <aname="input_bucket_arn"></a> [bucket\_arn](#input\_bucket\_arn)| (Required) The ARN of your CloudTrail Bucket |`string`| n/a | yes |
87
+
| <aname="input_topic_arn"></a> [topic\_arn](#input\_topic\_arn)| SNS Topic ARN that will forward CloudTrail notifications to Sysdig Secure |`string`| n/a | yes |
88
+
| <aname="input_create_topic"></a> [create\_topic](#input\_create\_topic)| true/false whether terraform should create the SNS Topic |`bool`|`false`| no |
89
+
| <aname="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn)| (Optional) ARN of the KMS key used to encrypt the S3 bucket. If provided, the IAM role will be granted permissions to decrypt using this key. |`string`|`null`| no |
90
+
| <aname="input_bucket_account_id"></a> [bucket\_account\_id](#input\_bucket\_account\_id)| (Optional) AWS Account ID that owns the S3 bucket, if different from the account where the module is being applied. Required for cross-account organizational deployments. |`string`|`null`| no |
91
+
| <aname="input_tags"></a> [tags](#input\_tags)| (Optional) Sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning |`map(string)`| <pre>{<br> "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
92
+
| <aname="input_name"></a> [name](#input\_name)| (Optional) Name to be assigned to all child resources. A suffix may be added internally when required. |`string`| sysdig-secure-cloudlogs | no |
56
93
| <aname="input_regions"></a> [regions](#input\_regions)| (Optional) The list of AWS regions we want to scrape data from |`set(string)`|`[]`| no |
57
94
| <aname="input_is_gov_cloud_onboarding"></a> [is\_gov\_cloud](#input\_is\_gov\_cloud\_onboarding)| true/false whether secure-for-cloud should be deployed in a govcloud account/org or not |`bool`|`false`| no |
95
+
| <aname="input_org_units"></a> [org\_units](#input\_org\_units)| (Optional) List of AWS Organizations organizational unit (OU) IDs in which to create the StackSet instances. Required for cross-account organizational deployments. |`list(string)`|`[]`| no |
96
+
| <aname="input_timeout"></a> [timeout](#input\_timeout)| (Optional) The timeout for StackSet operations |`string`|`"30m"`| no |
| <aname="output_cloud_logs_component_id"></a> [cloud\_logs\_component\_id](#output\_cloud\_logs\_component\_id)| Component identifier of Cloud Logs integration created in Sysdig Backend for Log Ingestion |
103
+
| <aname="output_kms_policy_instructions"></a> [kms\_policy\_instructions](#output\_kms\_policy\_instructions)| Instructions for updating KMS key policy when KMS encryption is enabled |
0 commit comments