Terraform Module for Falco AWS Resources.
The examples/single-account directory can be used to create self-contained AWS Resources (Cloudtrail + S3 + SNS + SQS) that track cloud events and make them accessible to the cloudtrail plugin:
$ aws configure get region
<some aws region e.g. us-east-1, eu-west-1>
$ aws sts get-caller-identity
{
"UserId": "XXXX",
"Account": "NNNNN",
"Arn": "arn:aws:iam::NNNN:YYYYY"
}
$ cd examples/single-account
$ terraform init
$ terraform validate
$ terraform apply
...
Apply complete! Resources: 14 added, 0 changed, 0 destroyed.
Outputs:
cloudtrail_sns_subscribed_sqs_arn = "arn:aws:sqs:ZZZZ"
cloudtrail_sns_subscribed_sqs_url = "https://sqs.<REGION>.amazonaws.com/.../<QUEUE NAME>"The <QUEUE_NAME> can then be used in the cloudtrail configuration for the open_params value:
plugins:
- name: cloudtrail
library_path: libcloudtrail.so
init_config: ""
open_params: "sqs://<QUEUE NAME>"
...
load_plugins: [cloudtrail]See README.md in examples/single-account or any of the modules/* subdirectories.
If you want to deploy the falco agent as part of an EKS cluster, configure the above cloudtrail plugin + k8saudit-eks and visualize the events with Falcosidekick check the examples/single-account-full-eks module.
