This repository provides CloudFormation templates to automatically deploy the Falcon Sensor against EKS Clusters across an AWS Organization.
- In CrowdStrike Console, Navigate to API Clients and Keys page.
- Click on "Add new API client".
- Within the "Add new API client" modal, create a new client name and enable following scopes:
- Add new API Client
- Save the CLIENT ID and SECRET displayed for your records. The SECRET will not be visible after this step.
- Download the contents of this repository.
- Log in to your AWS Account
- In Secrets Manager, create a new secret called
/CrowdStrike/Falcon/Credentialsand add the following entries with their respective values.
- falcon_cloud (one of: us-1, us-2, eu-1, us-gov-1)
- falcon_client_id
- falcon_client_secret
- falcon_cid (falcon cid with 2 character hash)
- falcon_docker_api_token
- Upload the following files to the root of an S3 Bucket.
- existing_clusters_lambda_function.zip
- new_clusters_lambda_function.zip
- eks_build.zip
- eks-eventbridge-stackset.yml
- eks-protection-stack.yml
- eks-target-roles-stackset.yml
- In the CloudFormation console select create stack.
- Choose Specify Template and upload init.yml
- Fill out the parameters, click next.
- Optional: change Stack Failure Options to Preserve successfully provisioned resources. This option will allow you to maintain the stack and update parameters in the event of a mistake.
- Enable the capabilities in the blue box and click submit.
- Download the contents of this repository.
- Log in to the Management Account or Delegated Administrator of your AWS Organization
- Upload the following files to the root of an S3 Bucket.
- existing_clusters_lambda_function.zip
- new_clusters_lambda_function.zip
- eks_build.zip
- eks-eventbridge-stackset.yml
- eks-protection-stack.yml
- eks-target-roles-stackset.yml
- In the CloudFormation console select create stack.
- Choose Specify Template and upload init.yml
- Fill out the parameters, click next.
- Optional: change Stack Failure Options to Preserve successfully provisioned resources. This option will allow you to maintain the stack and update parameters in the event of a mistake.
- Enable the capabilities in the blue box and click submit.
This solution automatically deploys the Falcon Sensor against your EKS Clusters using the following workflow:
- New Cluster
- New cluster event triggers lambda
- Lambda checks if cluster has EKS API authentication mode enabled
- If yes Lambda triggers CodeBuild
- CodeBuild checks for Active Status of cluster
- Once active, Code Build adds Access policy to allow IAM Role to manage cluster
- CodeBuild gets latest Falcon Images and pushes to ECR
- CodeBuild configures yaml files for deployment
- Code Build installs Sensors
Note: The SideCar (container) sensor injection is disabled by default to prevent duplicate sensors running on hybrid (Fargate & EC2) environments. To deploy SideCar sensor, please annotate your pods and/or namespaces to enable injection. For more info see: https://github.com/CrowdStrike/falcon-operator/blob/main/docs/resources/container/README.md
- Existing Clusters
- Launching the CloudFormation Stack triggers lambda
- Lambda generates list of EKS Clusters in the environment
- Lambda checks if each cluster has Fargate
- Lambda checks if cluster has EKS API authentication mode enabled
- If yes Lambda triggers CodeBuild
- CodeBuild checks for Active Status of cluster
- Code Build adds Access policy to allow IAM Role to manage cluster
- CodeBuild gets latest Falcon Images and pushes to ECR
- CodeBuild configures yaml files for deployment
- Code Build installs Sensors
If you encounter any issues or have questions about this repository, please open an issue.
CrowdStrike EKS Protection is a community-driven, open source project designed to provide options for onboarding AWS with CrowdStrike Cloud Security. While not a formal CrowdStrike product, this repo is maintained by CrowdStrike and supported in partnership with the open source community.
