Create a Container Security Runtime Security ruleset

Procedure

1. Go to Cloud Security → Container Security → Configuration → Object Management.
2. Click the Managed rulesets tab under Runtime Security Rulesets.
3. Create a ruleset by clicking +Add.
4. Specify a unique ruleset name.

   Note Ruleset names must not contain spaces and only support alphanumeric characters, underscores (_), and periods (.). You cannot modify the ruleset name after creating the ruleset.

5. If you want to provide more details about the purpose for the ruleset, use the Description field.
   The description appears under the ruleset name in the ruleset list.
6. For users that have applied labels to your Kubernetes clusters and want to apply the ruleset only to clusters with corresponding labels, click Add Label.
   1. Specify the Key and Value for each label.
   2. If you have multiple labels that you want to apply the ruleset to, click Add Label again.

   Important Labels are only supported on Kubernetes clusters and have no effect on Amazon ECS clusters.

7. Apply rules to the ruleset by selecting Enabled next to each rule .

   Tip To get more information about the attack technique that a rule is designed to prevent, search for the MITRE ID (for example T1021.004) on the MITRE site.

8. In the Action column, select what action you want Container Security to perform when the rule is violated.
   • Log: Log the event but allow the container to continue running
   • Isolate: Isolate the pod from all network traffic (Kubernetes only)
   • Terminate: Terminate the pod (Kubernetes and ECS with CAM versions above v2.2.3)

   Important Starting with CAM for ECS protection v2.2.3, Terminate is supported during Runtime Security for ECS; Isolate defaults to Log mode. For CAM for ECS protection versions earlier than v2.2.3, Amazon ECS clusters only support the Log action. If you select to Isolate or Terminate and apply the ruleset to an Amazon ECS cluster, Container Security defaults to the Log action only.

9. Click Create ruleset.