Uncovering Sensitive Data with Sysdig and Bedrock Data: A Technical Deep Dive
This blog walks through how the Sysdig and Bedrock Security integration works under the hood, why its architecture is distinct, and what advantages it provides over traditional discovery models.
Praveen Yarlagadda
Founding Engineer
Share:
Sysdig and Bedrock Data have built a deep integration designed to uncover sensitive data with precision, and do so without adding friction to security or operations teams. This blog walks through how the integration works under the hood, why its architecture is distinct, and what advantages it provides over traditional discovery models.
About the Partnership
Bedrock Data and Sysdig Partner to Unify Cloud and Data Security
Data security findings: A technical deep dive
Uncover and Protect Sensitive Data With Bedrock Data + Sysdig
Architectural Overview
Here’s a visual breakdown of how the integration works:
Bedrock Data & Sysdig Integration
| Owner | Responsibility |
|---|---|
| Sysdig | Sysdig Secure orchestrates enablement, customer coordination, and visualization of findings, embedding sensitive data into its existing graph of misconfigurations, runtime events, and vulnerabilities. |
| Customer | Customer cloud infrastructure account hosts Bedrock scanners deployed via CloudFormation (or equivalent) templates. These scanners operate entirely within the customer’s environment, adhering to least-privilege IAM (identity and access management) policies. |
| Bedrock Data | The Bedrock Data Platform contains the Metadata Lake, Graph API, tenant and scan services, which classifies sensitive data using contextual logic rather than basic pattern matching. |
| Sysdig | Sysdig Connector provides the feedback loop, securely transmitting classified findings from Bedrock back into Sysdig’s workflows. |
Unlike legacy discovery tools that often pull raw data into central processing, Bedrock’s metadata-only architecture and serverless scanning design eliminate data exfiltration risk. Sensitive data never leaves the customer’s account; only metadata and classification results are transmitted. This supports stringent compliance requirements for regulated industries like finance and healthcare.
How the Integration Works
The process begins when a Sysdig customer opts into the integration. Sysdig initiates the workflow by calling Bedrock’s Graph API to provision a tenant in Bedrock’s platform. This tenant is logically isolated: each customer’s metadata, scan configurations, and findings remain completely separate from others.
Once provisioned, Sysdig works with the customer to identify the AWS accounts and regions to include in the scans. Bedrock generates CloudFormation templates and IAM roles tailored for least-privilege deployment, ensuring scanners have access only to metadata — not to the underlying data itself.
After deployment, Bedrock enumerates supported cloud data stores, such as S3, RDS, and GCS data stores, and collects metadata describing object names, schemas, and usage patterns. This process uses adaptive sampling to scale across large, dynamic environments without consuming excessive resources or requiring agents.
Only the metadata is streamed to Bedrock’s platform, where custom, fine-tuned AI models are applied to distinguish between test data and production PII, or recognize sensitive content embedded in backups, reducing false positives compared to the use of regex-only tools.
Once analysis is complete, classified findings are pushed back to Sysdig Secure via REST APIs. Security teams can then view sensitive data risks directly in Sysdig, correlate them with runtime signals, and enforce policies without switching tools.
Technical Benefits
For security engineering and operations teams, the integration offers several tangible advantages:
| Advantage | Description |
|---|---|
| Automated Sensitive Data Discovery | Continuous, in-place scanning ensures new data stores and snapshots are analyzed without manual intervention or data movement. |
| Direct Policy Enforcement in Sysdig | Findings integrate with Sysdig’s runtime controls, enabling immediate actions — like blocking access or generating compliance evidence. |
| Least-Privilege Deployment | IAM roles and artifacts follow strict least-privilege principles, minimizing blast radius and simplifying audits. |
| AI-Powered Classification | Bedrock applies context-aware detection rather than relying solely on static patterns. |
| Unified Risk Modeling | Findings flow into Sysdig’s risk graph, correlating with vulnerabilities, misconfigurations, and runtime anomalies to prioritize true business risks. |
| Query via SysQL | Teams can create custom automated queries for sensitive data, like identifying exposed PCI data or AI workloads with sensitive access. For example:MATCH CloudResource IN ZoneWHERE CloudResource.isExposed = true AND Zone.name IN ['pci-dev']MATCH CloudResource CONTAINS SensitiveDataWHERE SensitiveData.dataClass IN ['Credit Card PAN']RETURN DISTINCT CloudResource, Zone, SensitiveDataLIMIT 50; |
Getting Started
Enabling the integration is straightforward:
- Request activation through your Sysdig account team.
- Define AWS targets for scanning.
- Deploy Bedrock artifacts (CloudFormation templates and IAM roles).
- View sensitive data findings directly within the Sysdig Secure console.
Conclusion
The Sysdig–Bedrock integration unifies runtime security and data sensitivity awareness in a single workflow. By leveraging metadata-driven scanning and serverless architecture it delivers precision that traditional discovery tools can’t match, all while reducing operational overhead. For teams operating in fast-moving, multi-account cloud environments, this integration provides a scalable, secure, and technically sound path to uncovering and protecting sensitive data.
Next Steps
Request a demo of the Sysdig–Bedrock integration.