Skip to main content
For AWS customers that want to set up CrowdStrike Falcon sensors on the Glean compute workloads (EC2 instances and EKS nodes), please review the following:

General Setup Details

CrowdStrike Falcon sensor installation is conducted via the standard Glean deploy process. The customer need not worry about having to perform the installation, nor does the customer need to make any changes to the Glean deployment. The customer will need to provide Glean with some details to have CrowdStrike Falcon deployed properly. Please see the requirements section.

Setup Details

For EC2 instances, Glean simply installs the Falcon agent. For K8s, Glean leverages the Falcon Operator to install the Node Sensor and the Kubernetes Admission Controller.

Requirements

Licensing

CrowdStrike is not hosted by Glean; CrowdStrike is hosted by the customer and Glean hooks in to the customer’s CrowdStrike licenses. For customers to leverage CrowdStrike Falcon sensors to monitor their Glean deployment, there are one of 2 licensing options that customers must possess:
  • Option 1: For CrowdStrike’s most comprehensive security capabilities, customers will need both CNAPP and CNAPP with Containers
  • Option 2: For just runtime protection, customers will need both Cloud Runtime Security and Cloud Runtime Security with Containers

Pricing

Because this is reporting back to the customer’s CrowdStrike tenant, the customer is responsible for all billing related matters.

Customer Instructions

Glean requires that the customer perform the following steps:
  1. Perform the steps required to add the Glean AWS account to your Falcon console for monitoring. Follow the CrowdStrike documentation for how to do this.
  2. You will need CrowdStrike credentials that will be used by the Falcon sensors to communicate back to CrowdStrike. These credentials are composed of the following elements:
    1. Client ID
    2. Client Secret
    3. Customer ID
  3. Grant the credentials the Falcon Images Download permission. This is needed for the k8s components to pull down the required containers from CrowdStrike.
  4. Create the Secrets Manager entry (more on this below)
  5. Provide details to Glean (more on this below)

Secret Creation

The Glean deployment needs access to the credentials that have been minted. To securely provide this to the deployment, Glean requires that the customer mint an AWS Secrets Manager secret in the same region as the Glean deployment. For simplicity, we recommend creating this secret in the same AWS account as the Glean deployment, however, you also have the option of placing this in a different AWS account (instructions below).

Preferred: Secret in the same AWS account as the Glean deployment:

If you are creating a secret in the same AWS account as the Glean deployment, then we recommend that you create a secret that is encrypted with the AWS managed aws/secretsmanager KMS key. Create the secret and proceed to the next section on what the secret value should be.

Secret in a different AWS account than the Glean deployment:

If you are creating a secret in a different AWS account than the Glean deployment, then you must create a new AWS Customer Managed Key (KMS) first. This KMS key will need to have the following policy applied: 
{
  "Version": "2012-10-17",
  "Id": "key-consolepolicy-3",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT-ID-THAT-THE-KMS-KEY-RESIDES-IN:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow secrets manager use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::YOUR-GLEAN-DEPLOYMENT-AWS-ACCOUNT-ID:root"
      },
      "Action": [
        "kms:Decrypt",
        "kms:DescribeKey"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:ViaService": "secretsmanager.DEPLOYMENT-REGION.amazonaws.com"
        }
      }
    }
  ]
}
The secret that is created will also need a cross-account policy attached to it. The policy will need to look like this: 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCrossAccountSecretRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::YOUR-GLEAN-DEPLOYMENT-AWS-ACCOUNT:root"
            },
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "*"
        }
    ]
}
For cross-account secrets, you cannot use the aws/secretsmanager AWS managed key as it cannot be used cross-account.

The Secret Contents

The secret that is created needs to be a JSON string that looks like this: 
{
    "FALCON_CLIENT_SECRET": "ADD-ME",
    "CUSTOMER_ID": "ADD-ME",
}
You need to embed:
  1. The CrowdStrike Falcon Client Secret for FALCON_CLIENT_SECRET
  2. The Customer ID for CUSTOMER_ID
Once you create the secret, you will need to keep note of:
  1. The ARN of the created secret
  2. The ARN of the KMS key that encrypted the secret. You can locate this in the KMS console. For the aws/secretsmanager managed secret, you can locate this in the AWS console under AWS managed keys to obtain the ARN for it.

Provide Glean with Details

After you have completed all the customer steps above, then last step is to provide the desired CrowdStrike deployment details to Glean. The following details need to be sent over:
  1. The Client ID for the credentials.
  2. The ARN of the Secrets Manager Secret that was created above.
  3. The ARN of the KMS key that encrypted the Secrets Manager Secret that was created above.
  4. An optional comma-separated list of Tags that you would like to have applied to CrowdStrike deployments.
  5. An optional “version decrement” for EC2 instances. By default, this value is set to 0. This sets the Falcon version to deploy minus the decrement (i.e. you can have the Falcon release that is 2 versions old to be deployed). See the CrowdStrike documentation for details.
  6. An optional kubernetes Falcon auto update strategy. By default, this is set to normal, but this can also be set to off or force. See the CrowdStrike documentation for details.
  7. An optional kubernetes Falcon update policy string. This is the name of the Falcon Linux sensor update policy (configured in the Falcon UI). When set, this policy determines which Falcon sensor version to install. This is unset by default. See the CrowdStrike documentation for details.