'
```
-### Q-Benchmark: Getting Error: Not enough privileges to complete the action, Access is denied
-
-```
-Error: Not enough privileges to complete the action, Access is denied
-│
-│ with module.secure -for-cloud_organizational.module.cloud_bench_org[0].sysdig_secure_benchmark_task.benchmark_task,
-│ on.terraform / modules / secure -for-cloud_organizational / modules / services / cloud - bench / main.tf line 55, in resource "sysdig_secure_benchmark_task" "benchmark_task":
-
-│ Error: error waiting for CloudFormation StackSet(sysdig - secure - cloudbench) update: unexpected state 'FAILED', wanted target 'SUCCEEDED'.last error: Operation(terraform - 20221130212414336200000001) Results: 6 errors occurred:
-│ * Account(***) Region(us - east - 1) Status(SUCCEEDED) Status Reason: No updates are to be performed.
-│ * Account(***) Region(us - east - 1) Status(FAILED) Status Reason: Account *** should have
-'stacksets-exec-70e2f8a88d368a5d3df60f4eb8c247dc' role with trust relationship to Role 'aws-service-role/stacksets.cloudformation.amazonaws.com/AWSServiceRoleForCloudFormationStackSetsOrgAdmin
-```
-
-A: For **Organizational** Setup for cloudbench (deployed through management account / delegated administrator vía stackset) make sure it's being deployed in the management account. [enable organizational trusted access to stackset](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html) as part of the [prerequisites for stackset operations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html)
-
### Q-RuntimeThreat Detection: Getting error 403 `"could not load rule set from Sysdig Secure: ruleprovider#newPartialRuleSet | error loading default-rules: error from Sysdig Secure API: 403`
A: The Sysdig User that deployed the components is a standard user within the Sysdig Platform. Only administrator users are given permissions to read falco rule sets. Once this permission is changed, you should no longer get this error and CSPM Cloud events should start populating.
diff --git a/examples/organizational/README.md b/examples/organizational/README.md
index 51e4d44e..37333c14 100644
--- a/examples/organizational/README.md
+++ b/examples/organizational/README.md
@@ -74,14 +74,12 @@ Role usage for this example comes as follows. Check [permissions](../../README.m
- used by Sysdig to subscribe to cloudtrail events
- used by Sysdig, for image scanning feature, to `assumeRole` on `OrganizationAccountAccessRole` to be able to fetch image data from ECS Tasks and scan ECR hosted images
- - `SysdigCloudBench` role will be created for SecurityAudit read-only purpose, used by Sysdig to benchmark
- **member accounts**
- terraform aws provider: 'member' aliased
- this provider can be configured as desired, we just provide a default option
- by default, we suggest using an assumeRole to the [AWS created default role `OrganizationAccountAccessRole`](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html)
- if this role does not exist provide input var `organizational_member_default_admin_role` with the role
- - `SysdigCloudBench` role will be created for SecurityAudit read-only purpose, used by Sysdig to benchmark
- **sysdig workload member account**
- if ECS workload is deployed, `ECSTaskRole` will be used to define its permissions
@@ -160,8 +158,6 @@ $ terraform apply
| Name | Source | Version |
|------|--------|---------|
-| [cloud\_bench\_org](#module\_cloud\_bench\_org) | ../../modules/services/cloud-bench | n/a |
-| [cloud\_bench\_single](#module\_cloud\_bench\_single) | ../../modules/services/cloud-bench | n/a |
| [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector-ecs | n/a |
| [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail | n/a |
| [codebuild](#module\_codebuild) | ../../modules/infrastructure/codebuild | n/a |
@@ -178,7 +174,6 @@ $ terraform apply
| [aws_iam_role.connector_ecs_task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_caller_identity.me](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.task_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
| [sysdig_secure_connection.current](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_connection) | data source |
## Inputs
@@ -191,8 +186,6 @@ $ terraform apply
| [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether the created cloudtrail should deliver encrypted events to s3 | `bool` | `true` | no |
| [cloudtrail\_s3\_bucket\_expiration\_days](#input\_cloudtrail\_s3\_bucket\_expiration\_days) | Number of days that the logs will persist in the bucket | `number` | `5` | no |
| [connector\_ecs\_task\_role\_name](#input\_connector\_ecs\_task\_role\_name) | Name for the ecs task role. This is only required to resolve cyclic dependency with organizational approach | `string` | `"organizational-ECSTaskRole"` | no |
-| [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
-| [deploy\_benchmark\_organizational](#input\_deploy\_benchmark\_organizational) | true/false whether benchmark module should be deployed on organizational or single-account mode (1 role per org accounts if true, 1 role in default aws provider account if false) | `bool` | `true` | no |
| [deploy\_beta\_image\_scanning\_ecr](#input\_deploy\_beta\_image\_scanning\_ecr) | true/false whether to deploy the beta image scanning on ECR pushed images (experimental and unsupported) | `bool` | `false` | no |
| [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `false` | no |
| [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `false` | no |
diff --git a/examples/organizational/cloud-bench.tf b/examples/organizational/cloud-bench.tf
deleted file mode 100644
index bdd6c887..00000000
--- a/examples/organizational/cloud-bench.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-# note; had to split cloud_bench module due to not being able to use dynamics on provider
-# https://github.com/hashicorp/terraform/issues/25244
-
-module "cloud_bench_org" {
- count = var.deploy_benchmark && var.deploy_benchmark_organizational ? 1 : 0
-
- source = "../../modules/services/cloud-bench"
-
- name = "${var.name}-cloudbench"
- is_organizational = true
- region = data.aws_region.current.name
-
- tags = var.tags
-}
-
-module "cloud_bench_single" {
- count = var.deploy_benchmark && !var.deploy_benchmark_organizational ? 1 : 0
- providers = {
- aws = aws.member
- }
-
- source = "../../modules/services/cloud-bench"
-
- name = "${var.name}-cloudbench"
- is_organizational = false
- region = data.aws_region.current.name
-
- tags = var.tags
-}
diff --git a/examples/organizational/data.tf b/examples/organizational/data.tf
index c5d0d394..31da1f10 100644
--- a/examples/organizational/data.tf
+++ b/examples/organizational/data.tf
@@ -1,3 +1,2 @@
-data "aws_region" "current" {}
data "sysdig_secure_connection" "current" {}
data "aws_caller_identity" "me" {}
diff --git a/examples/organizational/variables.tf b/examples/organizational/variables.tf
index 55043c5b..7ef42e35 100644
--- a/examples/organizational/variables.tf
+++ b/examples/organizational/variables.tf
@@ -110,23 +110,6 @@ variable "deploy_image_scanning_ecs" {
}
-#
-# benchmark configuration
-#
-
-variable "deploy_benchmark" {
- type = bool
- description = "Whether to deploy or not the cloud benchmarking"
- default = true
-}
-
-variable "deploy_benchmark_organizational" {
- type = bool
- default = true
- description = "true/false whether benchmark module should be deployed on organizational or single-account mode (1 role per org accounts if true, 1 role in default aws provider account if false)"
-}
-
-
#---------------------------------
# ecs, security group, vpc
#---------------------------------
diff --git a/examples/single-account-apprunner/README.md b/examples/single-account-apprunner/README.md
index ead476fd..f6085a4e 100644
--- a/examples/single-account-apprunner/README.md
+++ b/examples/single-account-apprunner/README.md
@@ -79,7 +79,6 @@ $ terraform apply
| Name | Source | Version |
|------|--------|---------|
-| [cloud\_bench](#module\_cloud\_bench) | ../../modules/services/cloud-bench | n/a |
| [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector-apprunner | n/a |
| [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail | n/a |
| [codebuild](#module\_codebuild) | ../../modules/infrastructure/codebuild | n/a |
@@ -100,7 +99,6 @@ $ terraform apply
| [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events | `bool` | `true` | no |
| [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether cloudtrail delivered events to S3 should persist encrypted | `bool` | `true` | no |
| [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If defaulted, a new cloudtrail will be created. ARN of a pre-existing cloudtrail\_sns. If defaulted, a new cloudtrail will be created. If specified, sysdig deployment account and region must match with the specified SNS | `string` | `"create"` | no |
-| [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
| [deploy\_beta\_image\_scanning\_ecr](#input\_deploy\_beta\_image\_scanning\_ecr) | true/false whether to deploy the beta image scanning on ECR pushed images (experimental and unsupported) | `bool` | `false` | no |
| [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `false` | no |
| [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `false` | no |
diff --git a/examples/single-account-apprunner/benchmark.tf b/examples/single-account-apprunner/benchmark.tf
deleted file mode 100644
index 91577a08..00000000
--- a/examples/single-account-apprunner/benchmark.tf
+++ /dev/null
@@ -1,7 +0,0 @@
-module "cloud_bench" {
- source = "../../modules/services/cloud-bench"
- count = var.deploy_benchmark ? 1 : 0
-
- name = "${var.name}-cloudbench"
- tags = var.tags
-}
diff --git a/examples/single-account-apprunner/variables.tf b/examples/single-account-apprunner/variables.tf
index 37a5b4ee..7c2f0522 100644
--- a/examples/single-account-apprunner/variables.tf
+++ b/examples/single-account-apprunner/variables.tf
@@ -48,16 +48,6 @@ variable "deploy_image_scanning_ecs" {
default = false
}
-#
-# benchmark configuration
-#
-
-variable "deploy_benchmark" {
- type = bool
- description = "Whether to deploy or not the cloud benchmarking"
- default = true
-}
-
#
# general
#
diff --git a/examples/single-account-ecs/README.md b/examples/single-account-ecs/README.md
index 60124922..9880c169 100644
--- a/examples/single-account-ecs/README.md
+++ b/examples/single-account-ecs/README.md
@@ -79,7 +79,6 @@ $ terraform apply
| Name | Source | Version |
|------|--------|---------|
-| [cloud\_bench](#module\_cloud\_bench) | ../../modules/services/cloud-bench | n/a |
| [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector-ecs | n/a |
| [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail | n/a |
| [codebuild](#module\_codebuild) | ../../modules/infrastructure/codebuild | n/a |
@@ -103,7 +102,6 @@ $ terraform apply
| [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether cloudtrail delivered events to S3 should persist encrypted | `bool` | `true` | no |
| [cloudtrail\_s3\_bucket\_expiration\_days](#input\_cloudtrail\_s3\_bucket\_expiration\_days) | Number of days that the logs will persist in the bucket | `number` | `5` | no |
| [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If defaulted, a new cloudtrail will be created. If specified, sysdig deployment account and region must match with the specified SNS | `string` | `"create"` | no |
-| [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
| [deploy\_beta\_image\_scanning\_ecr](#input\_deploy\_beta\_image\_scanning\_ecr) | true/false whether to deploy the beta image scanning on ECR pushed images (experimental and unsupported) | `bool` | `false` | no |
| [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `false` | no |
| [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `false` | no |
diff --git a/examples/single-account-ecs/benchmark.tf b/examples/single-account-ecs/benchmark.tf
deleted file mode 100644
index 91577a08..00000000
--- a/examples/single-account-ecs/benchmark.tf
+++ /dev/null
@@ -1,7 +0,0 @@
-module "cloud_bench" {
- source = "../../modules/services/cloud-bench"
- count = var.deploy_benchmark ? 1 : 0
-
- name = "${var.name}-cloudbench"
- tags = var.tags
-}
diff --git a/examples/single-account-ecs/variables.tf b/examples/single-account-ecs/variables.tf
index 6c2ee3d7..cd28ddd7 100644
--- a/examples/single-account-ecs/variables.tf
+++ b/examples/single-account-ecs/variables.tf
@@ -99,17 +99,6 @@ variable "deploy_image_scanning_ecs" {
default = false
}
-
-#
-# benchmark configuration
-#
-
-variable "deploy_benchmark" {
- type = bool
- description = "Whether to deploy or not the cloud benchmarking"
- default = true
-}
-
#
# cloud connector connector configuration
#
diff --git a/examples/single-account-k8s/README.md b/examples/single-account-k8s/README.md
index 101dff7f..b1c44307 100644
--- a/examples/single-account-k8s/README.md
+++ b/examples/single-account-k8s/README.md
@@ -94,7 +94,6 @@ $ terraform apply
| Name | Source | Version |
|------|--------|---------|
-| [cloud\_bench](#module\_cloud\_bench) | ../../modules/services/cloud-bench | n/a |
| [cloud\_connector\_sqs](#module\_cloud\_connector\_sqs) | ../../modules/infrastructure/sqs-sns-subscription | n/a |
| [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail | n/a |
| [codebuild](#module\_codebuild) | ../../modules/infrastructure/codebuild | n/a |
@@ -118,7 +117,6 @@ $ terraform apply
| [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether s3 should be encrypted. testing/economization purpose. | `bool` | `true` | no |
| [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If defaulted, a new cloudtrail will be created. If specified, deployment region must match Cloudtrail S3 bucket region | `string` | `"create"` | no |
| [deploy\_aws\_iam\_user](#input\_deploy\_aws\_iam\_user) | true/false whether to deploy an iam user. if set to false, check [required role permissions](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/resources/policy-single-account-k8s-aws.json) | `bool` | `true` | no |
-| [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
| [deploy\_beta\_image\_scanning\_ecr](#input\_deploy\_beta\_image\_scanning\_ecr) | true/false whether to deploy the beta image scanning on ECR pushed images (experimental and unsupported) | `bool` | `false` | no |
| [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `false` | no |
| [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `false` | no |
diff --git a/examples/single-account-k8s/benchmark.tf b/examples/single-account-k8s/benchmark.tf
deleted file mode 100644
index 91577a08..00000000
--- a/examples/single-account-k8s/benchmark.tf
+++ /dev/null
@@ -1,7 +0,0 @@
-module "cloud_bench" {
- source = "../../modules/services/cloud-bench"
- count = var.deploy_benchmark ? 1 : 0
-
- name = "${var.name}-cloudbench"
- tags = var.tags
-}
diff --git a/examples/single-account-k8s/variables.tf b/examples/single-account-k8s/variables.tf
index 2509bc56..bd38aa62 100644
--- a/examples/single-account-k8s/variables.tf
+++ b/examples/single-account-k8s/variables.tf
@@ -61,15 +61,6 @@ variable "deploy_image_scanning_ecs" {
}
-#
-# benchmark configuration
-#
-variable "deploy_benchmark" {
- type = bool
- description = "Whether to deploy or not the cloud benchmarking"
- default = true
-}
-
#
# aws iam user configuration
#
diff --git a/modules/services/cloud-bench/README.md b/modules/services/cloud-bench/README.md
deleted file mode 100644
index 0733cdc8..00000000
--- a/modules/services/cloud-bench/README.md
+++ /dev/null
@@ -1,73 +0,0 @@
-# Cloud Bench deploy in AWS Module
-
-
-Deployed on the **target AWS account(s)**:
-
-- The required IAM Role and IAM Policies (`arn:aws:iam::aws:policy/SecurityAudit`) to allow Sysdig to run AWS Benchmarks on your behalf.
- - A Sysdig provided `ExternalId` will be used.
- - This is done using `aws_cloudformation_stack_set`.
-
-Deployed on **Sysdig Backend**
-- The required provisioning on Sysdig Backend to use the `ExternalId`-basedIAM Role with an AssumeRole.
-- An `aws_foundations_bench-1.3.0` benchmak task schedule on a random hour of the day `rand rand * * *`
-
-This module will be deployed as a StackSet and it will take into account newly member accounts added to the Organization.
-
-
-
-## Requirements
-
-| Name | Version |
-|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.0.0 |
-| [aws](#requirement\_aws) | >= 3.62.0 |
-| [sysdig](#requirement\_sysdig) | >= 0.5.29 |
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| [aws](#provider\_aws) | >= 3.62.0 |
-| [sysdig](#provider\_sysdig) | >= 0.5.29 |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_cloudformation_stack_set.stackset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource |
-| [aws_cloudformation_stack_set_instance.stackset_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource |
-| [aws_iam_role.cloudbench_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy_attachment.cloudbench_security_audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [sysdig_secure_cloud_account.cloud_account](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_account) | resource |
-| [aws_caller_identity.me](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_iam_policy.security_audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
-| [aws_iam_policy_document.trust_relationship](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
-| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [is\_organizational](#input\_is\_organizational) | true/false whether secure-for-cloud should be deployed in an organizational setup (all accounts of org) or not (only on default aws provider account) | `bool` | `false` | no |
-| [name](#input\_name) | The name of the IAM Role that will be created. | `string` | `"sfc-cloudbench"` | no |
-| [provision\_caller\_account](#input\_provision\_caller\_account) | true/false whether to provision the aws provider account (if is\_organizational=true management account, if is\_organizational=false it will depend on the provider setup on the caller module | `bool` | `true` | no |
-| [region](#input\_region) | Default region for resource creation in organization mode | `string` | `"eu-central-1"` | no |
-| [tags](#input\_tags) | customization of tags to be assigned to all resources.
always include 'product' default tag for resource-group proper functioning.
can also make use of the [provider-level `default-tags`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags) | `map(string)` | {
"product": "sysdig-secure-for-cloud"
} | no |
-
-## Outputs
-
-No outputs.
-
-
-## Authors
-
-Module is maintained by [Sysdig](https://sysdig.com).
-
-## License
-
-Apache 2 Licensed. See LICENSE for full details.
diff --git a/modules/services/cloud-bench/main.tf b/modules/services/cloud-bench/main.tf
deleted file mode 100644
index 6f962e66..00000000
--- a/modules/services/cloud-bench/main.tf
+++ /dev/null
@@ -1,140 +0,0 @@
-#----------------------------------------------------------
-# Fetch & compute required data
-#----------------------------------------------------------
-
-data "aws_caller_identity" "me" {}
-
-data "aws_organizations_organization" "org" {
- count = var.is_organizational ? 1 : 0
-}
-
-data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
- cloud_provider = "aws"
-}
-
-locals {
- caller_account = data.aws_caller_identity.me.account_id
- member_account_ids = var.is_organizational ? [for a in data.aws_organizations_organization.org[0].non_master_accounts : a.id] : []
- account_ids_to_deploy = var.is_organizational && var.provision_caller_account ? concat(local.member_account_ids, [data.aws_organizations_organization.org[0].master_account_id]) : local.member_account_ids
-}
-
-#----------------------------------------------------------
-# Configure Sysdig Backend
-#----------------------------------------------------------
-
-resource "sysdig_secure_cloud_account" "cloud_account" {
- for_each = var.is_organizational ? toset(local.account_ids_to_deploy) : [local.caller_account]
-
- account_id = each.value
- cloud_provider = "aws"
- role_enabled = "true"
- role_name = var.name
-
- lifecycle {
- ignore_changes = [alias]
- }
-}
-
-locals {
- external_id = try(
- sysdig_secure_cloud_account.cloud_account[local.account_ids_to_deploy[0]].external_id,
- sysdig_secure_cloud_account.cloud_account[local.caller_account].external_id,
- )
-}
-
-#----------------------------------------------------------
-# If this is not an Organizational deploy, create role/polices directly
-#----------------------------------------------------------
-
-data "aws_iam_policy" "security_audit" {
- arn = "arn:aws:iam::aws:policy/SecurityAudit"
-}
-
-data "aws_iam_policy_document" "trust_relationship" {
- statement {
- effect = "Allow"
- actions = ["sts:AssumeRole"]
- principals {
- type = "AWS"
- identifiers = [data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity]
- }
- condition {
- test = "StringEquals"
- variable = "sts:ExternalId"
- values = [local.external_id]
- }
- }
-}
-
-resource "aws_iam_role" "cloudbench_role" {
- count = var.is_organizational && !var.provision_caller_account ? 0 : 1
-
- name = var.name
- assume_role_policy = data.aws_iam_policy_document.trust_relationship.json
- tags = var.tags
-}
-
-
-resource "aws_iam_role_policy_attachment" "cloudbench_security_audit" {
- count = var.is_organizational && !var.provision_caller_account ? 0 : 1
-
- role = aws_iam_role.cloudbench_role[0].id
- policy_arn = data.aws_iam_policy.security_audit.arn
-}
-
-
-#----------------------------------------------------------
-# If this is an Organizational deploy, use a CloudFormation StackSet
-#----------------------------------------------------------
-
-resource "aws_cloudformation_stack_set" "stackset" {
- count = var.is_organizational ? 1 : 0
-
- name = var.name
- tags = var.tags
- permission_model = "SERVICE_MANAGED"
- capabilities = ["CAPABILITY_NAMED_IAM"]
-
- auto_deployment {
- enabled = true
- retain_stacks_on_account_removal = false
- }
-
- template_body = <ECR, Public Repositories | Codebuild project |
-| GCP | Project | Organization with member projects | Project/Organization Sink,
GCR PubSub Topic | K8S `-k8s`, CloudRun | Workload Identity Federation | CloudRun deployed images,
GCR, Public Repositories |Cloudbuild task |
-| Azure | Subscription | Tenant subscriptions| EventHub, Eventgrid | K8S `-k8s`, AzureContainerInstances (ACI) | Azure Lighthouse | ACI deployed images,
ACR, Public Repositories | ACR Task |
+| Cloud | Single Setup | Organizational Setup | Event Source | Compute Deployment Options | Sysdig Role Setup | Image Scanning Options | Spawned Scanning Service |
+|-------|--------------|-----------------------------------|--------------------------------------------------|------------------------------------------------|--------------------------------|--------------------------------------------------------|--------------------------|
+| AWS | Account | Organization with member accounts | Cloudtrail | K8S `-k8s`, ECS `-ecs`, AppRunner `-apprunner` | IAM Role with Trusted Identity | ECS deployed images,
ECR, Public Repositories | Codebuild project |
+| GCP | Project | Organization with member projects | Project/Organization Sink,
GCR PubSub Topic | K8S `-k8s`, CloudRun | Workload Identity Federation | CloudRun deployed images,
GCR, Public Repositories | Cloudbuild task |
+| Azure | Subscription | Tenant subscriptions | EventHub, Eventgrid | K8S `-k8s`, AzureContainerInstances (ACI) | Azure Lighthouse | ACI deployed images,
ACR, Public Repositories | ACR Task |
### Which Compute Deployment Should I Choose?
-There are no preffered way, just take a technology you're familiar with. Otherwise, prefer non-K8S, as it will be harder to maintain.
+There are no preferred way, just take a technology you're familiar with. Otherwise, prefer non-K8S, as it will be harder to maintain.
For AWS, beware of [AppRunner region limitations](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/examples/single-account-apprunner/README.md#prerequisites).
@@ -21,14 +21,14 @@ For AWS, beware of [AppRunner region limitations](https://github.com/sysdiglabs/
Make use of optionals to reuse pre-existing resources and prevent incurring in more costs.
-| Cloud | Optionals | Related Input Vars | Other |
-| -- | --| -- | -- |
-| AWS | Cloudtrail | single: [`cloudtrail_sns_arn`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/single-account-ecs#input_cloudtrail_sns_arn)
organizational: [`existing_cloudtrail_config`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/organizational#input_existing_cloudtrail_config) | For organizational example, optional resources must exist in the management account. For other setups check other alternative use-cases |
-| | ECS, VPC, Subnet | `ecs_cluster_name`, `ecs_vpc_id`, `ecs_vpc_subnets_private_ids` | if used, the three are mandatory |
-| GCP | - | - | - |
-| Azure | ResourceGroup | `resource_group_name` | - |
-| | ACR | `registry_name`, `registry_resource_group_name` | - |
-| * | Compute Workload | - | All clouds allow Sysdig Secure for cloud to be deployed on a pre-existing K8S cluster|
+| Cloud | Optionals | Related Input Vars | Other |
+|-------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------|
+| AWS | Cloudtrail | single: [`cloudtrail_sns_arn`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/single-account-ecs#input_cloudtrail_sns_arn)
organizational: [`existing_cloudtrail_config`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/organizational#input_existing_cloudtrail_config) | For organizational example, optional resources must exist in the management account. For other setups check other alternative use-cases |
+| | ECS, VPC, Subnet | `ecs_cluster_name`, `ecs_vpc_id`, `ecs_vpc_subnets_private_ids` | if used, the three are mandatory |
+| GCP | - | - | - |
+| Azure | ResourceGroup | `resource_group_name` | - |
+| | ACR | `registry_name`, `registry_resource_group_name` | - |
+| * | Compute Workload | - | All clouds allow Sysdig Secure for cloud to be deployed on a pre-existing K8S cluster |
### Overview
diff --git a/use-cases/_questionnaire.md b/use-cases/_questionnaire.md
deleted file mode 100644
index 54be5a2a..00000000
--- a/use-cases/_questionnaire.md
+++ /dev/null
@@ -1,74 +0,0 @@
-_Last update: 2023.04.04_
-
-# Use-Case Questionnaire
-
-This questionnaire is aimed to help you/us find the most suitable way of deploying [Sysdig Secure for Cloud](https://docs.sysdig.com/en/docs/installation/sysdig-secure-for-cloud/) in your infrastucture, as well as to understand the needs to develop new official `/examples`, for reducing the installation friction.
-
-Despite wanting only to trial it, we suggest that you deploy, and test it, in th **most-similar situation to what
-you have on your production environment**.
-
-We are aware that current examples don't suit all situations, and we will keep improving them to be as configurable as possible.
-Contact us with these questions answered to help us.
-
-
-
-Sysdig Secure for Cloud is served in Terraform [AWS](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud), [GCP](https://github.com/sysdiglabs/terraform-google-secure-for-cloud) and [Azure](https://github.com/sysdiglabs/terraform-azurerm-secure-for-cloud)
-modules, and we also offer [AWS Cloudformation templates](https://github.com/sysdiglabs/aws-templates-secure-for-cloud)
-
-
-
-
-## Sysdig Features
-
-In what [Sysdig For Cloud Features](https://docs.sysdig.com/en/docs/sysdig-secure/sysdig-secure-for-cloud/) are you interested in?
-
-- [Runtime Threat Detection](https://docs.sysdig.com/en/docs/sysdig-secure/insights/)
-- [Compliance](https://docs.sysdig.com/en/docs/sysdig-secure/posture/compliance/compliance-unified-/) (cis benchmarks and others)
-- [Identity and Access Management](https://docs.sysdig.com/en/docs/sysdig-secure/posture/permissions-and-entitlements/)
-- [Scanning](https://docs.sysdig.com/en/docs/sysdig-secure/scanning/)
- - Registry/repository push-based image scanning
- - Runtime workload image scanning (ecs on Aws, cloudrun on GCP, or container instances on Azure)
- - Note: Sysdig offers many other ways of performing scanning, and we recommend you to [Check all Scanning options in the Vulnerability Management](https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/) to push this task as far to the left as possible (dev side)
-
-
-
-
-## Client Infrastructure
-
-### aws-specific
-- do you have **existing aws cloudtrail**?
- - is it an organizational cloudtrail in the organization management account?
- - does this organizational cloudtrail report to an SNS? if yes, is it in the same management account? if no, could you enable it? ingestor-type: `aws-cloudtrail-sns-sqs`
- - is the S3 bucket of that cloudtrail in the management account or a sepparated member account?
- - if it's not organizational, does each trail report to the same s3 bucket?
- - if so, does that S3 bucket already have any "Event Notification System"? Is it an SNS we could subscribe to? ingestor-type: `aws-cloudtrail-s3-sns-sqs`
- - if so, does that S3 bucket already have an "Amazon EventBridge" system activated? ingestor-type: `aws-cloudtrail-s3-sns-sqs-eventbridge`
-- whether it's organizational or not, could you give us a quick picture of the infra setup in terms of what resource is in what account? the resources of interest are the ones you may want to reuse, such as the cloudtrail, cloudtrail-sns, cloudtrail-s3, existing clusters where to deploy the workload, ...
- - where (which member account) would you like secure for cloud module to be deployed? to help simplification, would it be possible to deploy it in the same account as the S3 bucket is?
-
-### google-cloud specific
-- do you have Logs API activated in place (either organizational or per-project)?
- - if yes, for billing estimation purpose, could you run the folowing query on the target scope of the log explorer, for a given month range??
-```logName=~"^projects/SCOPED_PROJECT_OR_ORG/logs/cloudaudit.googleapis.com" -resource.type="k8s_cluster"``` . first part is optional for scoping down.
-
-
-### general
-- does your company work under an **organization** (AWS/GCP) or tenant (Azure)?
- - if so, how many member accounts (aws) /projects (gcp) /subscriptions (azure) does it have?
- - regarding of the number, how many accounts would be required to enroll in the secure for cloud setup?
- - do you have dynamic accounts/projects/subscriptions? what's their lifecycle?
- - does it have any landing such as aws control-tower? what's the event management there (if any)?
-- sysdig secure for cloud is presented in different **compute workload** flavors; ecs on aws, cloudrun on gcp or azure container instances on azure, plus a K8s deployment an all three clouds, plus apprunner on aws (less resource-demaing than ecs, but region limited)
- - in case of ECS or K8S, do you have an existing cluster you would like to re-use?
-- how many **regions** do you work with?
- - if more than one, could you briefly explain the region usage/setup?
- - secure for cloud requires both s3 and cloudtrail-sns to be deployed in the same region. would that apply to the use-case?
- - in case of AWS ECS deployment, it have to be done in the same previous region. would that be a problem?
-- how do you handle **IAM permissions**? would you let our Terraform scripts set them up for you, or you want to set them yourself manually? any restriction we may be aware of?
-- how do you handle **outbound newtwork connection** securization? does your infrastructure have any customized VPC/firewally setup?
-- **Deployment** type
- - are you familiar with the installation stack? Terraform, Cloudformation, AWS CDK, ...? would you have any preference?
- - do you use any other InfraAsCode frameworks?
- - if you want to use Kubernetes compute for Sysdig deployment, what's your current way of deploying helm charts?
-
-
diff --git a/use-cases/manual-compliance.md b/use-cases/manual-compliance.md
deleted file mode 100644
index 5000864a..00000000
--- a/use-cases/manual-compliance.md
+++ /dev/null
@@ -1,157 +0,0 @@
-# Manually Onboard an AWS Account for CSPM
-
-To enable [CSPM (Compliance)](https://docs.sysdig.com/en/docs/sysdig-secure/posture/compliance/) in your AWS account, you create the following resources on the Sysdig Secure SaaS backend:
-
-- An `account` representing the AWS account for which you want to enable CSPM
-- A trust-relationship `component` that represents the IAM Role in your AWS account
-- A CSPM `feature` that indicates CSPM scans should be run against this account
-
-
-## Guidelines
-
-- This method of installation will only support CSPM (Compliance).
-
-- The following features will not work:
- - Threat Detection
- - Identity and Access
- - Image Scanning
-
- To install other features, see the [Installation Guide](https://docs.sysdig.com/en/docs/installation/sysdig-secure/connect-cloud-accounts/aws/).
-
-- In each AWS account you want to run CSPM, you must create an IAM Role with `SecurityAudit` permissions that Sysdig is able to assume.
-
-- Ensure that you make Sysdig aware of these accounts and roles.
-
-
-## Preparation
-
-To learn more about using the Sysdig Secure APIs, see [Development Tools](https://docs.sysdig.com/en/docs/developer-tools/).
-
-### Retrieve the **Sysdig Trusted Identity** and **ExternalID**
-
-Run the following to retrieve the `TrustRelationshipPolicy`:
-
-```shell
-$ curl -s 'https:///api/cloud/v2/aws/trustedRoleDoc' \
---header 'Authorization: Bearer '
-```
-This policy will be used when you create an IAM role as given below.
-
-An example response to this call:
-
-```json
-{
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Principal": {
- "AWS": "arn:aws:iam::123456789012:role/us-east-1-some-sysdig-role"
- },
- "Action": "sts:AssumeRole",
- "Condition": {
- "StringEquals": {
- "sts:ExternalId": "0123abc456defg7890hijk123lmn0774"
- }
- }
- }
- ]
-}
-```
-
-## Provision Your AWS Account
-
-### Create an IAM Role
-
-Sysdig secures your cloud environment by assuming an IAM Role you create within your AWS Account.
-
-1. Create a new IAM Role with a Custom trust policy.
-2. Set the value of the trust polity to the `TrustRelationshipPolicy` policy retrieved above.
-3. Attach the AWS-managed `arn:aws:iam::aws:policy/SecurityAudit` policy.
-4. Give the role a unique name, and save the name for later use.
-5. Add **Tags** and a **Description** as desired.
-
-For more information, see [IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html)
-
-## Provision Sysdig
-
-### Create an AWS Account Representation
-
-```shell
-$ curl "https:///api/cloudauth/v1/accounts" \
---header "Authorization: Bearer " \
--X POST \
--H 'Accept: application/json' \
--H 'Content-Type: application/json' \
--d '{
- "providerId": "",
- "provider": "PROVIDER_AWS",
- "enabled": true
-}'
-```
-
-An example response to this call:
-
-```json
-{
- "id": "2fb94253-3a93-4d43-a739-2cb8c1c6f886",
- "customerId": "123",
- "enabled": true,
- "providerId": "123456789012",
- "provider": "PROVIDER_AWS",
- "feature": {},
- "createdAt": "2023-05-22T21:26:03.288075Z",
- "updatedAt": "2023-05-22T21:26:03.288358Z"
-}
-```
-
-Take note of the `id` field, which is referenced in subsequent calls. Note this is **not the AWS AccountID**, which is stored in the `providerId` field.
-
-
-### Create a Trust Relationship Component
-
-1. Collect the following:
-
- - ``: The `id` field retrieved from the response in the previous step.
- - ``: The name of the IAM role created above. Note this is not the ARN, but the role name.
-
-2. Replace `` and `` with the `id` and the role name respectively, and run the following:
-
- ```shell
- $ curl -s "https:///api/cloudauth/v1/accounts//components" \
- --header "Authorization: Bearer " \
- -X POST \
- -H 'Accept: application/json' \
- -H 'Content-Type: application/json' \
- -d '{
- "type": "COMPONENT_TRUSTED_ROLE",
- "instance": "manual",
- "trustedRoleMetadata": {
- "aws": {
- "roleName": ""
- }
- }
- }'
- ```
-
-
-### Create a CSPM Feature Representation
-
-Replace `` with the `id` field you have retrieved before and run the following:
-
-```shell
-$ curl -s "https:///api/cloudauth/v1/accounts//feature/FEATURE_SECURE_CONFIG_POSTURE" \
---header "Authorization: Bearer " \
--X PUT \
--H 'Accept: application/json' \
--H 'Content-Type: application/json' \
--d '{
- "type": "FEATURE_SECURE_CONFIG_POSTURE",
- "enabled": true,
- "components": ["COMPONENT_TRUSTED_ROLE/manual"]
-}'
-```
-
-## Verify the Installation
-
-Verify that your installation is successful by following the [CSPM Validation instructions](https://docs.sysdig.com/en/docs/installation/sysdig-secure/connect-cloud-accounts/aws/#check-cspm).
diff --git a/use-cases/manual-org-three-way.md b/use-cases/manual-org-three-way.md
index 8df2b9ec..5a783fe0 100644
--- a/use-cases/manual-org-three-way.md
+++ b/use-cases/manual-org-three-way.md
@@ -8,9 +8,6 @@ This use case describes setting up Secure for Cloud for a multi-AWS accounts env
This setup will provide the following [Sysdig Secure for Cloud](https://docs.sysdig.com/en/docs/installation/sysdig-secure-for-cloud/) features:
- [Threat Detection](https://docs.sysdig.com/en/docs/sysdig-secure/policies/threat-detect-policies/)
-- [Posture](https://docs.sysdig.com/en/docs/sysdig-secure/posture/)
-- [Compliance](https://docs.sysdig.com/en/docs/sysdig-secure/posture/compliance/)
-- [Identity Access Management](https://docs.sysdig.com/en/docs/sysdig-secure/posture/identity-and-access/)
## Prerequisites
@@ -40,16 +37,6 @@ This setup will provide the following [Sysdig Secure for Cloud](https://docs.sys
See **account-management** and **account-security** modules in the diagram given below.
-- AWS member account for Compliance
-
- - Sysdig Compliance Role:`aws:SecurityAudit policy`.
-
- For more information, see [Creating IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html).
-
- This IAM Role provisions permissions pertaining to enable audit trail for compliance.
-
- See the **account-compliance** module in the diagram given below.
-
## Overview
In this setup, you will do the following:
@@ -66,11 +53,6 @@ In this setup, you will do the following:
- A topic for `cloudtrail-sns-sqs` setting from the organizational Cloudtrail into Cloud Connector compute module.
-We recommend that you perform the operations in the following order:
-
-1. Deploy the Cloud Connector. This configuration enables Threat Detection.
-2. Configure the Compliance role, `aws:SecurityAudit policy`, if required.
-
## Create Sysdig Compute Role
When running the workload on EKS or ECS, use the SysdigComputeRole, `ARN_SYSDIG_COMPUTE_ROLE`.
diff --git a/use-cases/multiple-accounts-k8s-threat.md b/use-cases/multiple-accounts-k8s-threat.md
index 6178a506..ba34d507 100644
--- a/use-cases/multiple-accounts-k8s-threat.md
+++ b/use-cases/multiple-accounts-k8s-threat.md
@@ -22,7 +22,6 @@ From the [available features for Secure for cloud AWS](https://docs.sysdig.com/e
- [X] Account-specific
- [?] All individual Cloudtrail accounts need to be analysed
- [ ] Image Scanning (ECR and ECS)
-- [ ] Compliance / Benchmark
- [ ] CIEM
### Other Requirements
diff --git a/use-cases/org-single-account.md b/use-cases/org-single-account.md
index 301a0ba6..2eacc400 100644
--- a/use-cases/org-single-account.md
+++ b/use-cases/org-single-account.md
@@ -11,22 +11,9 @@ This use case will leverage the [`examples/organizational`](./examples/organizat
This use case provides the following [Sysdig Secure For Cloud](https://docs.sysdig.com/en/docs/sysdig-secure/sysdig-secure-for-cloud/#features) features:
- [Threat Detection](https://docs.sysdig.com/en/docs/sysdig-secure/policies/threat-detect-policies/)
-- [Posture](https://docs.sysdig.com/en/docs/sysdig-secure/posture/)
-- [Compliance](https://docs.sysdig.com/en/docs/sysdig-secure/posture/compliance/)
-- [Identity Access Management](https://docs.sysdig.com/en/docs/sysdig-secure/posture/identity-and-access/)
## Preparation
-You will use the following to enable single account deployment:
-
-### `deploy_benchmark_organizational`
-
-You will set the `deploy_benchmark_organizational"` variable to false in the terraform configuration.
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [deploy\_benchmark\_organizational](#input\_deploy\_benchmark\_organizational) | Determines if the benchmark module should be deployed on organizational or single-account mode. Creates one role per org accounts if true. Creates one role in the default aws provider account if false) | `bool` | `true` | no |
-
### AWS Terraform Providers
You will work on the following setups: default and member terraform providers.
@@ -89,7 +76,6 @@ module "secure_for_cloud_organizational" {
source = "sysdiglabs/secure-for-cloud/aws//examples/organizational"
sysdig_secure_for_cloud_member_account_id = ""
- deploy_benchmark_organizational = false
...
}
```