@@ -7,13 +7,15 @@ Metadata:
77 default : " "
88 Parameters :
99 - RuleEventPattern
10+ - RateLimit
1011 - Label :
1112 default : " Sysdig Settings (Do not change)"
1213 Parameters :
1314 - NameSuffix
1415 - ExternalID
1516 - TrustedIdentity
16- - TargetEventBusARN
17+ - ApiKey
18+ - IngestionUrl
1719 - Regions
1820 - RuleState
1921 - IsOrganizational
@@ -30,8 +32,12 @@ Metadata:
3032 default : External ID
3133 TrustedIdentity :
3234 default : Trusted Identity
33- TargetEventBusARN :
34- default : Target Event Bus
35+ ApiKey :
36+ default : " API Key (Sysdig use only)"
37+ IngestionUrl :
38+ default : " Ingestion URL (Sysdig use only)"
39+ RateLimit :
40+ default : " Api Destinations Rate Limit"
3541 Regions :
3642 default : Instrumented Regions
3743 RuleState :
@@ -65,9 +71,16 @@ Parameters:
6571 TrustedIdentity :
6672 Type : String
6773 Description : The Role in Sysdig's AWS Account with permissions to your account
68- TargetEventBusARN :
74+ ApiKey :
6975 Type : String
70- Description : The destination in Sysdig's AWS account where your events are sent
76+ Description : API key for Sysdig Secure authentication
77+ IngestionUrl :
78+ Type : String
79+ Description : Sysdig Secure API ingestion URL
80+ RateLimit :
81+ Type : Number
82+ Description : Maximum invocations per second for the API destination
83+ Default : 300
7184 Regions :
7285 Type : CommaDelimitedList
7386 Description : Comma separated list of regions to monitor with EventBridge
@@ -245,14 +258,22 @@ Resources:
245258 Version : " 2012-10-17"
246259 Statement :
247260 - Effect : Allow
248- Action : ' events:PutEvents'
249- Resource : !Ref TargetEventBusARN
261+ Action :
262+ - " events:InvokeApiDestination"
263+ Resource :
264+ - !Sub " arn:${Partition}:events:*:*:api-destination/sysdig-secure-events-${NameSuffix}-destination/*"
250265 - Effect : Allow
251266 Action :
252267 - " events:DescribeRule"
253268 - " events:ListTargetsByRule"
254269 Resource :
255270 - !Sub arn:${Partition}:events:*:*:rule/sysdig-secure-events-${NameSuffix}
271+ - Effect : Allow
272+ Action :
273+ - " events:DescribeApiDestination"
274+ - " events:DescribeConnection"
275+ - " cloudwatch:GetMetricStatistics"
276+ Resource : " *"
256277 EventBridgeRuleStackSet :
257278 Type : AWS::CloudFormation::StackSet
258279 Metadata :
@@ -282,8 +303,12 @@ Resources:
282303 Parameters :
283304 - ParameterKey : Name
284305 ParameterValue : !Sub sysdig-secure-events-${NameSuffix}
285- - ParameterKey : TargetEventBusARN
286- ParameterValue : !Ref TargetEventBusARN
306+ - ParameterKey : ApiKey
307+ ParameterValue : !Ref ApiKey
308+ - ParameterKey : IngestionUrl
309+ ParameterValue : !Ref IngestionUrl
310+ - ParameterKey : RateLimit
311+ ParameterValue : !Ref RateLimit
287312 - ParameterKey : RuleState
288313 ParameterValue : !Ref RuleState
289314 - ParameterKey : RuleEventPattern
@@ -302,9 +327,15 @@ Resources:
302327 Name:
303328 Type: String
304329 Description: resource name identifier
305- TargetEventBusARN :
330+ ApiKey :
306331 Type: String
307- Description: The destination in Sysdig's AWS account where your events are sent
332+ Description: API key for authentication
333+ IngestionUrl:
334+ Type: String
335+ Description: Target endpoint URL for the API destination
336+ RateLimit:
337+ Type: Number
338+ Description: Maximum invocations per second for the API destination
308339 RuleState:
309340 Type: String
310341 Description: The state of the EventBridge Rule
@@ -320,17 +351,36 @@ Resources:
320351 Type: String
321352 Description: AWS Partition of your account or organization to create resources in
322353 Resources:
354+ EventBridgeConnection:
355+ Type: AWS::Events::Connection
356+ Properties:
357+ Name: !Sub ${Name}-connection
358+ AuthorizationType: API_KEY
359+ AuthParameters:
360+ ApiKeyAuthParameters:
361+ ApiKeyName: X-Api-Key
362+ ApiKeyValue: !Ref ApiKey
363+
364+ EventBridgeApiDestination:
365+ Type: AWS::Events::ApiDestination
366+ Properties:
367+ Name: !Sub ${Name}-destination
368+ ConnectionArn: !GetAtt EventBridgeConnection.Arn
369+ InvocationEndpoint: !Ref IngestionUrl
370+ HttpMethod: POST
371+ InvocationRateLimitPerSecond: !Ref RateLimit
372+
323373 EventBridgeRule:
324- Type: " AWS::Events::Rule"
374+ Type: AWS::Events::Rule
325375 Properties:
326- Name: !Ref Name
327- Description: Capture all CloudTrail events
376+ Name: !Sub ${ Name}
377+ Description: Forwards events to Sysdig via API Destination
328378 EventPattern: !Ref RuleEventPattern
329- State: !Sub ${ RuleState}
379+ State: !Ref RuleState
330380 Targets:
331- - Id: !Ref Name
332- Arn: !Sub ${TargetEventBusARN}
333- RoleArn: !Sub arn:${Partition}:iam::${AWS::AccountId}:role/${Name}
381+ - Id: !Sub ${ Name}
382+ Arn: !GetAtt EventBridgeApiDestination.Arn
383+ RoleArn: !Sub " arn:${Partition}:iam::${AWS::AccountId}:role/${Name}"
334384OrganizationRoleStackSet :
335385 Type : AWS::CloudFormation::StackSet
336386 Condition : IsOrganizational
@@ -356,8 +406,12 @@ Resources:
356406 ParameterValue : !Ref TrustedIdentity
357407 - ParameterKey : ExternalID
358408 ParameterValue : !Ref ExternalID
359- - ParameterKey : TargetEventBusARN
360- ParameterValue : !Ref TargetEventBusARN
409+ - ParameterKey : ApiKey
410+ ParameterValue : !Ref ApiKey
411+ - ParameterKey : IngestionUrl
412+ ParameterValue : !Ref IngestionUrl
413+ - ParameterKey : RateLimit
414+ ParameterValue : !Ref RateLimit
361415 - ParameterKey : Partition
362416 ParameterValue : !Ref Partition
363417 StackInstancesGroup :
@@ -400,9 +454,15 @@ Resources:
400454 Name:
401455 Type: String
402456 Description: A unique identifier used to create and reference resources
403- TargetEventBusARN:
457+ ApiKey:
458+ Type: String
459+ Description: API key for Sysdig Secure authentication
460+ IngestionUrl:
404461 Type: String
405- Description: The destination in Sysdig's AWS account where your events are sent
462+ Description: Sysdig Secure API endpoint URL
463+ RateLimit:
464+ Type: Number
465+ Description: Maximum invocations per second for the API destination
406466 Partition:
407467 Type: String
408468 Description: AWS Partition of your account or organization to create resources in
@@ -430,15 +490,26 @@ Resources:
430490 PolicyDocument:
431491 Version: "2012-10-17"
432492 Statement:
433- - Effect: Allow
434- Action: 'events:PutEvents'
435- Resource: !Sub ${TargetEventBusARN}
436- - Effect: Allow
437- Action:
438- - "events:DescribeRule"
439- - "events:ListTargetsByRule"
440- Resource:
441- - !Sub arn:${Partition}:events:*:*:rule/${Name}
493+ - Sid: "InvokeApiDestination"
494+ Effect: Allow
495+ Action:
496+ - "events:InvokeApiDestination"
497+ Resource:
498+ - !Sub "arn:${Partition}:events:*:*:api-destination/${Name}-destination/*"
499+ - Sid: "CloudTrailEventRuleAccess"
500+ Effect: Allow
501+ Action:
502+ - "events:DescribeRule"
503+ - "events:ListTargetsByRule"
504+ Resource:
505+ - !Sub "arn:${Partition}:events:*:*:rule/${Name}"
506+ - Sid: "ValidationAccess"
507+ Effect: Allow
508+ Action:
509+ - "events:DescribeApiDestination"
510+ - "events:DescribeConnection"
511+ - "cloudwatch:GetMetricStatistics"
512+ Resource: "*"
442513OrganizationRuleStackSet :
443514 Type : AWS::CloudFormation::StackSet
444515 Condition : IsOrganizational
@@ -463,8 +534,12 @@ Resources:
463534 Parameters :
464535 - ParameterKey : Name
465536 ParameterValue : !Sub sysdig-secure-events-${NameSuffix}
466- - ParameterKey : TargetEventBusARN
467- ParameterValue : !Ref TargetEventBusARN
537+ - ParameterKey : ApiKey
538+ ParameterValue : !Ref ApiKey
539+ - ParameterKey : IngestionUrl
540+ ParameterValue : !Ref IngestionUrl
541+ - ParameterKey : RateLimit
542+ ParameterValue : !Ref RateLimit
468543 - ParameterKey : RuleState
469544 ParameterValue : !Ref RuleState
470545 - ParameterKey : RuleEventPattern
@@ -505,9 +580,15 @@ Resources:
505580 Name:
506581 Type: String
507582 Description: A unique identifier used to create and reference resources
508- TargetEventBusARN :
583+ ApiKey :
509584 Type: String
510- Description: The destination in Sysdig's AWS account where your events are sent
585+ Description: API key for Sysdig Secure authentication
586+ IngestionUrl:
587+ Type: String
588+ Description: Sysdig Secure API endpoint URL
589+ RateLimit:
590+ Type: Number
591+ Description: Maximum invocations per second for the API destination
511592 RuleState:
512593 Type: String
513594 Description: The state of the EventBridge Rule
@@ -523,19 +604,38 @@ Resources:
523604 Type: String
524605 Description: AWS Partition of your account or organization to create resources in
525606 Resources:
607+ EventBridgeConnection:
608+ Type: AWS::Events::Connection
609+ Properties:
610+ Name: !Sub ${Name}-connection
611+ AuthorizationType: API_KEY
612+ AuthParameters:
613+ ApiKeyAuthParameters:
614+ ApiKeyName: X-Api-Key
615+ ApiKeyValue: !Ref ApiKey
616+
617+ EventBridgeApiDestination:
618+ Type: AWS::Events::ApiDestination
619+ Properties:
620+ Name: !Sub ${Name}-destination
621+ ConnectionArn: !GetAtt EventBridgeConnection.Arn
622+ InvocationEndpoint: !Ref IngestionUrl
623+ HttpMethod: POST
624+ InvocationRateLimitPerSecond: !Ref RateLimit
625+
526626 EventBridgeRule:
527- Type: " AWS::Events::Rule"
627+ Type: AWS::Events::Rule
528628 Properties:
529629 Name: !Ref Name
530- Description: Capture all CloudTrail events
630+ Description: Forwards events to Sysdig via API Destination for Sysdig Secure
531631 EventPattern: !Ref RuleEventPattern
532632 State: !Ref RuleState
533633 Targets:
534634 - Id: !Ref Name
535- Arn: !Ref TargetEventBusARN
635+ Arn: !GetAtt EventBridgeApiDestination.Arn
536636 RoleArn: !Sub "arn:${Partition}:iam::${AWS::AccountId}:role/${Name}"
537637Outputs :
538638 EventBridgeRoleARN :
539639 Description : Sysdig Secure EventBridge Role ARN
540640 Value :
541- Fn::Sub : ${EventBridgeRole.Arn}
641+ Fn::Sub : ${EventBridgeRole.Arn}
0 commit comments