Falco on AWS Cloud

It's Amazon Web Services' largest user conference this week, re:Invent, which is a good time to highlight the ways you can use Falco in the AWS Cloud for runtime security. In this article we'll review what's new, and take a look at installation, plugins, and integrations for AWS.

Support for Amazon Security Lake

We're pleased to announce that Falcosidekick will shortly be available with preview integration for Amazon Security Lake, a new service that optimizes and centralizes security data from cloud, on-premises, and custom sources into a purpose-built data lake.

Falcosidekick is designed to forward Falco events into other services: the new integration exports security events using the Open Cybersecurity Schema Framework (OCSF) format, an open industry standard, and sends them directly to Amazon Security Lake. This makes it easier to normalize and combine Falco events with other security data sources. You can check out the integration in the next version of Falcosidekick, 2.27.0.

Installation and drivers

You can find Falco and Falcosidekick as container images through the Amazon ECR Registry:

• Falco image.
• Falcosidekick image.

Additionally, the Falco project publishes pre-built driver modules for AWS kernels, whether you are using the kernel module driver or the eBPF probe. These can be fetched using falco-driver-loader.

Review the available drivers:

• eBPF probes for AWS
• Kernel modules for AWS

The prebuilt modules are available for both x86_64 and aarch64 architectures.

Plugins

Falco plugins let you use event sources other than kernel syscalls. Falco has two plugins specific to AWS.

1. The CloudTrail plugin can read AWS CloudTrail logs and emit events for each CloudTrail log entry. It includes out-of-the-box rules that can be used to identify potential threats in CloudTrail logs, including:
   • Console logins that do not use multi-factor authentication.
   • Disabling multi-factor authentication for users.
   • Disabling encryption for S3 buckets.
2. Falco has extended its capability to read Kubernetes audit logs through a plugin for CloudWatch, where it can read the EKS audit logs. Read more about configuration and usage.

Falcosidekick integrations

Falcosidekick lets you forward events from Falco into a variety of different services, including many on AWS.

• Cloudwatch Logs: emit events into a CloudWatch log stream.
• S3: add events in JSON format to an S3 bucket.
• Lambda: invoke a Lambda function in response to a Falco event.
• SQS: send a message into an SQS queue.
• SNS: create a push notification to apps or people.
• Kinesis: send Falco events as streaming data.
• Amazon Security Lake: add Falco events to a security data lake.

Conclusion

Falco offers a wide variety of support for runtime security on the AWS cloud. As we are an open source project, we welcome contributions and feedback! Read more about running Falco on AWS from this AWS Security blog post, Continuous runtime security monitoring with AWS Security Hub and Falco.

You can find us in the Falco community. Please feel free to reach out to us for any questions, suggestions, or even for a friendly chat!

If you would like to find out more about Falco:

• Get started in Falco.org
• Check out the Falco project in GitHub.
• Get involved in the Falco community.
• Meet the maintainers on the Falco Slack.
• Follow @falco_org on Twitter