Container Security supports protection on connected Amazon ECS Fargate containers
ImportantYou must connect your Amazon ECS cluster that hosts the Fargate container before
proceeding.
|
You can manually deploy Container Security along with AWS Fargate to your Amazon ECS
container. When deploying Container Security, you should be aware of the
following:
- The container must have internet access.
- Container Security uses
ptrace
to inspect the containers. If you are also usingptrace
, the monitoring may not function correctly. - Container Security enables
pidMode
in the task definition. EnablingpidMode
results in only one ECS Exec session per task. For more information, see Using Amazon ECS Exec for debugging. - Container Security on Fargate requires a minimum of 1 vCPU (1024 CPU units) and 512MiB memory. Follow the AWS task size table to determine the appropriate task size for running Container Security and workloads on Fargate.
- Trend recommends that you input the task definition using the AWS CLI instead of using the CloudFormation template.
Procedure
- In the Trend Vision One console, go to .
- In the tree, click Amazon ECS, locate and click the Fargate cluster in the list.
- Turn on Runtime Security.
- In another browser tab, sign in to the AWS account that hosts the
cluster..
Important
The following AWS instructions and screen captures were valid as of March 25, 2024. For further help, check your AWS documentation. - Configure an Identity and Access Management (IAM) policy that permits Container
Security access to your Fargate container.
- Search for and go to the IAM settings in AWS.
- Click Policies and Create
policy.
- Click JSON, provide the following code, and
click Next.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetParameter" ], "Resource": "arn:aws:ssm:${Region}:${Account}:parameter/V1CS/*" } ] }
Where:-
${Region} - The region where the Fargate container is hosted (for example, us-east-1)
-
${Account} - The AWS account that manages the Fargate container
-
- Specify a unique Policy name (for example:
ContainerSecurityIAMPolicy) and click
Create policy.
- Configure an Identity and Access Management (IAM) role using the newly-created
policy (in the example:
ContainerSecurityIAMPolicy).
- In AWS Identity and Access Management (IAM), click
Roles and click Create
role.
- In the Select trusted entity screen, set the
following and click Next.
-
Trusted entity type: AWS service
-
Service or use case: Elastic Container Service
-
Use case: Elastic Container Service Task
-
- In the Add permissions screen, locate and select
the Container Security policy you created
(ContainerSecurityIAMPolicy) , and click
Next.
- In the Name, review, and create screen, provide a unique name for the role (for example, ContainerSecurityRole) and click Create role.
- In AWS Identity and Access Management (IAM), click
Roles and click Create
role.
- Configure an Amazon Elastic Container Service task definition using the
newly-created role (in the example:
ContainerSecurityRole).
- Search for and go to the Amazon Elastic Container Service settings in AWS.
- Click Task definitions and .
- In the Create new task definition screen,
configure the following settings:
-
Task definition family name: A unique name for the new task definition (for example, ContainerSecurityTaskDefinition
-
Task role: The Container Security role you created (ContainerSecurityRole)
-
Container settings: Specify a container name and the Image URI for the Fargate container that you want Container Security to protect
-
- Click Create.
- Back on the Task definitions table, click the task definition you just created (ContainerSecurityTaskDefinition) and click the latest revision.
- Click the JSON tab and click Download
JSON.
- Download the latest Trend Micro Fargate tools container image from:
- Run the patching tool locally or as part of your CICD process to patch your ECS
Task Definition before uploading to ECS and running.This adds the runtime security application to your ECS task definition. When you run your ECS task, it executes the runtime security application along with your task.Example 1: Input from file and output to file.
docker run -ti \ -v <inputfile_path>:/mnt/input \ -v <outputfile_path>:/mnt/output \ trendmicrocloudone/ecs-taskdef-patcher:x.y.z \ -i /mnt/input/<inputfile_name> \ -o /mnt/output/<outputfile_name>
Example 2: Input from STDIN and output to STDOUT, and set proxy tohttp://10.10.10.10:8080
cat input_file.json | docker run -ti --rm \ trendmicrocloudone/ecs-taskdef-patcher:x.y.z -p http://10.10.10.10:8080
Explanation of execution flagsFlagValueDefaultDescription-ipath/inputfile.nameSTDINInput file name and path, default is STDIN-opath/outputfile.nameSTDOUTOutput file name and path, default is STDOUT-tjson, cloudformationJSONInput and output format, default is json.TheCloudFormation template supports JSON and YAML, but only accepts input from file whose default output format is YAML.-phttp(s)://proxy.fqdn.or.ip:portNo proxyProxy settings for Scout to connect to Container Security-scout-imageregistry/scout@sha254:xxxtrendmicrocloudone/scout@sha256:xxxScout image location-falco-imageregistry/falco@sha254:xxxtrendmicrocloudone/falco@sha256:xxxFalco image location-pdig-imageregistry/pdig@sha254:xxxtrendmicrocloudone/pdig@sha256:xxxpdig image location - Upload and launch your modified ECS Task Definition.
Important
Once you have launched the modified ECS Task Definition file, Runtime Security becomes active. Because Runtime Security is controlled by the task definition file, Container Security cannot verify the status of the feature. The Container Security console may not accurately reflect the status of Runtime Security if you change the task definitions in the future.