Sysdig Secure Runtime Policies are a combination of rules about activities an enterprise wants to detect in an environment, the actions that should be taken if the policy rule is breached. In the case of Cloud Security, these may relate to activities within your AWS account, such as users being created or updated, or S3 buckets being manipulated.
Browse to Sysdig Secure, and navigate to ‘Policies > Runtime Policies’, and highlight ‘AWS CloudTrail security event‘
You can see the list of rules that make up this policy.
Click and expand rule ‘Delete bucket encryption‘
You’ll notice that this is a regular Falco rule.
- rule: Delete bucket encryption (Copy) desc: Detect deleting configuration to use encryption for bucket storage condition: >- jevt.value[/eventName]="DeleteBucketEncryption" and not jevt.value[/errorCode] exists output: >- A encryption configuration for a bucket has been deleted (requesting user=%jevt.value[/userIdentity/arn], requesting IP=%jevt.value[/sourceIPAddress], AWS region=%jevt.value[/awsRegion], bucket=%jevt.value[/requestParameters/bucketName]) priority: critical tags: - cloud - source=cloudtrail - NIST800_53_AU8 - aws - NIST800_53 source: k8s_audit append: false exceptions: 
CloudTrail compatibility is achieved in Falco by handling its events as JSON objects, and referring to the event information using JSONPath. Some points to note about this rule:
The jevt.value contains the JSON content of the event, and we are using it in the condition. Using the jsonpath format, we can indicate what parts of the event we want to evaluate. In this case this Falco rule is triggered when the CloudTrail event ‘eventname’ is ‘DeleteBucketEncryption’.
The output will provide context information including the requester username and IP address - this is what will be sent through all of the enabled notification channels.
This rule is one of many thats included out-of-the-box in Sysdig CloudConnector.
Browse to Sysdig Secure, and navigate to ‘Policies > Rules Library’ to see a list of all Falco rules relating to CloudTrail
Select ‘aws’ from the ‘Select Tags’ list
You will see a list of rules with various tags.
Highlight the rule ‘Delete bucket encryption’ to see the actual Falco rule, and the Sysdig Policy in which it is used, in this case ‘AWS CloudTrail security event‘
You can click on AWS CloudTrail security event to view the Runtime Policy again.
In the next step we’ll go ahead and trigger this rule.