Call a Specialist Today! 800-886-5369

CrowdStrike Falcon for AWS
Maximize Protection of Amazon Web Services (AWS) Workloads

Falcon for AWSThe advent of cloud technologies brings the opportunity to store, process and distribute vast quantities of data at the push of a button. Amazon Web Services (AWS) has been at the forefront of making this a reality. Organizations are increasingly moving mission-critical applications and data into AWS and taking advantage of the massive compute power of Amazon EC2.

Many of today’s organizations maintain environments that are a combination of on-premises, virtual, and public cloud data center solutions, but such environments are dynamic and can pose unique security problems. The ability to scale compute power elastically and ephemerally within EC2 brings with it tremendous operational and business gains, however, practical security considerations are critical. Gaining comprehensive visibility and insight are key to maintaining an adequate security posture, but doing so is not without challenges:

What makes Falcon Discover for AWS unique?

An integral part of the CrowdStrike platform, Falcon Discover for AWS extends visibility over all EC2 instances, enabling security professionals to more quickly identify and stop threats:

EC2 Visibility Transformed

The CrowdStrike Falcon platform for AWS provides extensive and detailed visibility over EC2 instances, helping improve an organization’s overall security posture. It quickly enumerates existing EC2 instances in one centralized view, allowing you to immediately identify security gaps. Rich AWS-specific context is presented to allow for timely triaging and response to security events on EC2 instances.

Breach Protection for AWS Workloads



Continuous and comprehensive workload monitoring, including container visibility, ensuring nothing is missed and stealthy attacks can be stopped.



Protect against breaches with unparalleled coverage. Defend against threats from malware to the most sophisticated attacks.



Built in the cloud for the cloud. Reduces the overhead, friction and complexity associated with protecting cloud workloads.



Enable cloud security to keep up with the dynamic and flexible nature of AWS workloads.

Built in the Cloud to Protect the Cloud

Unrivalled Visibility

  • Full EDR prevents silent failure by capturing raw events for complete visibility
  • Visibility into incidents involving containers with process trees showing container IDs
  • Full attack visibility provides details, context and history for every alert
  • Event details and a full set of enriched data is continuously available, even for ephemeral and decommissioned workloads
  • Rogue instance detection
  • Extensive AWS visibility: Environment, accounts and instances

EC2 and Container Protection

  • Machine Learning and AI protects against known and zero-day malware
  • Protection against prevalent cloud workload threats like web shells, SQL shells and credential theft
  • Behavior-based indicators of attack (IOAs) detect sophisticated attacks such as fileless and malware-free
  • Exploit protection and blocking
  • Delivers container security through a single agent running on the node that protects the instance itself as well as all containers running on it

Simplicity and Performance

  • Works everywhere: EC2 instances, ECS & EKS containers, Windows, Linux, Amazon Linux
  • One console provides central visibility over cloud workloads regardless of location
  • No reboots — No signatures — No scan storms — No disruption
  • Lightweight — Operates with only a tiny footprint on the host and Zero impact on runtime performance even when analyzing, searching and investigating
  • Automatically kept up to date with SaaS delivery
  • Complete policy flexibility — apply at individual server, group or data center level

Seamless Automation

  • Automatic detection of attacker behavior with prioritized alerts and severity eliminates time-consuming manual searches and assessments
  • Integration with CI/CD deployment workflows
  • Powerful APIs enable automation of all functional areas including detection, management, response and intelligence
  • Scales as cloud workloads expand — no need for additional infrastructure
  • Integrates to AWS Security Hub for centralized management of threat alerts from AWS services

Real-Time Visibility and Control of your Amazon EC2 Instances

CrowdStrike Falcon Discover™ for AWS provides extensive and detailed visibility over EC2 instances. It quickly enumerates existing EC2 deployments across all regions (including instances without the Falcon agent installed) and subsequently monitors cloud trail logs for any modifications to the environment. The data captured is presented in a dashboard in the Falcon Management Console, allowing users to quickly identify all EC2 assets running across all AWS accounts and regions in one centralized view. This dashboard will also highlight instances that do not have Falcon installed, allowing customers to quickly identify security gaps. In addition, rich AWS-specific context will be presented to allow for timely triaging and response to security events on EC2 instances.

Use Case: Gain Additonal Context Surrounding Alerts

Challenge: Typically, Amazon EC2 instances are running critical applications. When responding to an alert, analysts need a more complete picture of the impacted system.

Solution: In the Falcon detections app, you can identify an alert on a server, drill into the alert, pivot into host details and highlight all the AWS information that’s available, for example:

  • Who is the account owner of this system?
  • Is this system internet accessible?
  • Does it have IAM roles applied with elevated privileges?
  • Is it on the same VPC as other critical assets?
  • What are the rules of the security group associated with this instance?

Armed with this information, you can take the appropriate action to deal with the alert.

Benefit: The ability to make the appropriate triage and remediation actions based on complete information leads to accurate and faster decisions. This ensures that business operations are not negatively impacted and that an advanced persistent threat (APT) doesn’t have time to spread laterally.

Use Case: Finding Unprotection Amazon EC2 Instances

Challenge: Organizations can quickly deploy instances, however, their ephemeral nature can make it difficult to quickly and efficiently discover all EC2 instances and identify unprotected / unmanaged assets.

Solution: Falcon Discover for AWS quickly enumerates existing EC2 deployments across all regions — including instances without the Falcon sensor installed — and subsequently monitors cloud trail logs for any modifications to the environment. This allows you to:

  • Drill into unmanaged instances and use a tag to filter on all “prod” servers that are currently unprotected
  • Use filtered data to create a report and export it
  • Send that information to infrastructure teams to resolve identified security gaps
  • Filter the information based on account names to generate reports and track how security posture is trending for different account owners

Benefit: The ability to quickly and efficiently identify unprotected / unmanaged EC2 instances allows them to be put them under management by installing the Falcon agent as needed.

Use Cases: Monitor and Search Metadata to Improve Security Posture

Challenge: It can be difficult to ensure consistency across EC2 instances and their respective security groups. For example, how can you know with certainty the specific EC2 instances that are permitting remote desktop protocol (RDP)?

Solution: Using the Falcon Discover for AWS dashboard allows you to:

  • See AWS-specific metadata including, Instance ID, Instance Type, State, Region, AZ, Security Groups, Subnets, AMI Id, Tags and more
  • Drill into security groups
  • Filter for those groups with internet access Identify, filter and make changes to any group or EC2 instance in security groups that permit RDP
  • See both CrowdStrike and AWS information in the same host dashboard

Benefit: The ability to quickly and effectively access AWS-specific metadata in real time and in one console gives analysts the information and confidence they need to take the appropriate corrective actions.

Use Case: Review Rate of EC2 Launched Over Time

Challenge: Given the ease of deployment and the ability to scale, it can be difficult to get an overview and track the rate at which EC2 Instances are being launched.

Solution: Using the Falcon Discover for AWS dashboard allows you to:

  • See what EC2 instances have been launched by day, week or month
  • Review the rate at which EC2 instances are being launched across all accounts and then drill into specific accounts

Benefit: The ability to quickly and effectively track EC2 instance launches in one dashboard and drill into specific accounts as needed offers both the overview and details analysts need.

CrowdStrike Integration with AWS Security Hub


Download the CrowdStrike Falcon for AWS Datasheet (.PDF)