A standalone CrowdStrike sensor image synchronization system for AWS ECR.
This system monitors CrowdStrike's registry for new sensor versions and synchronizes them to AWS ECR repositories across multiple regions. It supports all CrowdStrike sensor types and provides a complete CLI interface for image management operations.
- Multi-sensor support: falcon-sensor, falcon-container, falcon-kac
- Multi-region deployment: us-1, us-2, us-gov-1
- OAuth2 authentication with CrowdStrike API
- Auto-region discovery for optimal API performance
- Docker credential management with retry logic
- Dry-run mode for safe testing
- Comprehensive logging and error handling
- ECR lifecycle management
- 🔐 Advanced Security: Automatic credential scrubbing prevents sensitive data from appearing in logs
- 🛡️ AWS Secrets Manager: Secure credential storage with rotation support
The easiest way to get started is with the interactive setup script:
./setup-credentials.shThis will:
- Guide you through CrowdStrike and AWS configuration
- Store your CrowdStrike API credentials securely in AWS Secrets Manager
- Test the credentials and connectivity
- Generate a complete configuration file at
~/.cs-image-sync.yaml
For detailed instructions, see CREDENTIAL-SETUP.md.
# Test configuration
cs-image-sync config validate
# Test system connectivity
cs-image-sync validate
# List available sensor versions
cs-image-sync list-versions# Dry run (recommended first)
cs-image-sync sync-images --dry-run
# Live sync
cs-image-sync sync-imagesIf you need custom configuration beyond what the setup script provides:
- Start with setup script:
./setup-credentials.sh(sets up credentials securely) - Customize configuration: Edit
~/.cs-image-sync.yamlor create a custom config - Use custom config:
cs-image-sync -c /path/to/custom-config.yaml
See config-sample.yaml and examples in docs/examples/ for configuration options.
pip install -e .The system includes comprehensive security features:
- 🔐 Automatic Log Scrubbing: Prevents credentials from appearing in logs
- 🛡️ Secrets Manager Integration: Secure credential storage in AWS
- 🔒 Multi-layer Protection: Security at logging, display, and storage levels
- 🧪 Validated Security: Comprehensive test suite ensures protection
For detailed security information, see SECURITY.md.
The security system is automatically tested as part of the main test suite:
# Run the test suite (includes security tests)
pytest tests/Recommended: Use the setup script to create your configuration:
./setup-credentials.shThis creates a configuration file at ~/.cs-image-sync.yaml:
crowdstrike:
# Secure credential storage (recommended)
use_secrets_manager: true
secret_name: "crowdstrike-api-credentials-us-1"
cloud: "us-1" # us-1, us-2, us-gov-1
# Alternative: Direct credentials (NOT recommended for production)
# client_id: "your_client_id"
# client_secret: "your_client_secret"
aws:
region: "ca-central-1" # Update to your preferred region
profile: "solar-lab" # Optional: AWS profile to use
sync:
sensor_types:
- falcon-sensor
- falcon-container
- falcon-kac
retention_days: 30
max_images_per_type: 2 # Keep only 2 most recent versions per sensor type
logging:
level: INFO
format: "%(asctime)s - %(name)s - %(levelname)s - %(message)s"# List available sensor versions
cs-image-sync list-versions
# Sync all images (dry-run)
cs-image-sync sync-images --dry-run
# Sync specific sensor type
cs-image-sync sync-images --sensor-type falcon-sensor
# Cleanup old images
cs-image-sync cleanup --retention-days 30
# Show configuration
cs-image-sync config showSet up AWS credentials via:
- AWS CLI (
aws configure) - Environment variables (
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY) - IAM roles (for EC2/ECS deployment)
CrowdStrike credentials can be provided via:
- AWS Secrets Manager (recommended) - Set up with
./setup-credentials.sh - Configuration file (not recommended for production)
- Environment variables (
CS_CLIENT_ID,CS_CLIENT_SECRET)
# Install development dependencies
pip install -e ".[dev]"
# Run tests
pytest
# Format code
black cs_image_sync/
# Type checking
mypy cs_image_sync/The application can be containerized for deployment in orchestrated environments:
# Build the Docker image
docker build -t cs-image-sync .
# Run with local config
docker run -v ~/.aws:/home/csync/.aws \
-v $(pwd)/config-sample.yaml:/app/config.yaml \
cs-image-sync \
cs-image-sync -c config.yaml sync-images --dry-run
# Deploy as Kubernetes CronJob
kubectl apply -f k8s-cronjob.yamlPerfect for:
- Kubernetes CronJobs - Scheduled synchronization
- AWS ECS Tasks - Serverless execution
- CI/CD Pipelines - Automated deployments
MIT License