預設情況下,Container Security 使用 Lambda Function 在執行時自動修補 ECS Fargate 任務定義。可以停用自動修補,以允許手動配置具有所需安全容器和設置的任務定義。
先決條件
-
一個連接到TrendAI Vision One™的Amazon ECS Fargate叢集。
-
在TrendAI Vision One™控制台中,ECS叢集的運行時安全已啟動。
-
IAM 權限以建立和修改 ECS 任務定義和 IAM 角色。
-
具有權限以提取容器映像並寫入 CloudWatch Logs 的 ECS 任務執行角色。
 |
注意如果執行角色沒有
logs:CreateLogGroup 權限,請在部署任務定義之前預先建立 CloudWatch 日誌群組(如 步驟 3 的 Terraform 範例所示)。 |
步驟 1:關閉自動修補
適用於現有部署
在 AWS Lambda 主控台中,將環境變數
DISABLE 更新為值 true,以防止 trendmicro-container-security-ecs-taskdef-patcher 函數自動修補任務定義。適用於新的 AWS 帳戶部署
在從 TrendAI Vision One™ 主控台部署 Container Security 堆疊之前,請修改 CloudFormation 範本,將
EnableAutomatedFargatePatching 參數的預設值設為 false,然後使用修改後的範本部署堆疊。步驟 2:取得當前容器映像版本
容器映像版本應與 Container Security 部署範本中指定的版本相符。最新的 CloudFormation 範本可以從 TrendAI Vision One™ 主控台下載。相應的版本也可以從已部署的範本中獲取。
在範本中找到以下預設值:
-
CloudPdigVersion -
CloudScoutVersion -
CloudFalcoVersion
步驟 3:建立或更新任務定義
手動修補過程需要多個特定配置以確保 Container Security 正常運作。以下的 Terraform 範例包含所有必要的設定。
配置要求
以下是所需的設定:
-
PID 模式(任務):允許安全容器監控整個任務中的應用程式進程。
-
共享磁碟區(trendmicro-component):允許初始化容器複製執行階段安全容器執行的二進位檔。
-
SYS_PTRACE 能力:應用程式和安全容器都需要此功能以啟用程序追蹤和安全監控。
-
容器依賴性:確保安全容器在應用程式之前啟動,並以正確的順序進行。
-
健康檢查:確認安全元件正在運行後,將任務標記為正常。
-
IAM 權限:允許安全容器從 AWS Secrets Manager 和 SSM 參數存儲中檢索驗證令牌,並報告安全事件。
TrendAI Vision One™ 端點配置
將 Terraform 程式碼中的
<VISION_ONE_ENDPOINT> 值替換為符合 TrendAI Vision One™ 區域的值:|
地區
|
端點 URL
|
|
美洲
|
https://api.xdr.trendmicro.com/external/v2/direct/vcs/external/vcs
|
|
歐洲
|
https://api.eu.xdr.trendmicro.com/external/v2/direct/vcs/external/vcs
|
|
日本
|
https://api.xdr.trendmicro.co.jp/external/v2/direct/vcs/external/vcs
|
|
澳大利亞
|
https://api.au.xdr.trendmicro.com/external/v2/direct/vcs/external/vcs
|
|
印度
|
https://api.in.xdr.trendmicro.com/external/v2/direct/vcs/external/vcs
|
|
新加坡
|
https://api.sg.xdr.trendmicro.com/external/v2/direct/vcs/external/vcs
|
|
中東地區和非洲
|
https://api.mea.xdr.trendmicro.com/external/v2/direct/vcs/external/vcs
|
Terraform 範例
# Data sources to get current AWS region and account ID
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}
# Variables
variable "log_group" {
description = "CloudWatch log group name for ECS containers"
type = string
default = "/ecs/your-task-definition-family-name"
}
variable "cluster_name" {
description = "Name of your existing ECS cluster"
type = string
default = "your-cluster-name"
}
variable "execution_role_arn" {
description = "ARN of the existing ECS task execution role"
type = string
}
# Pre-create CloudWatch log group
resource "aws_cloudwatch_log_group" "ecs_logs" {
name = var.log_group
retention_in_days = 7
tags = {
Name = "ECS Task Logs"
ManagedBy = "Terraform"
Application = "Vision One Container Security"
}
}
resource "aws_ecs_task_definition" "this" {
family = "your-task-definition-family-name"
requires_compatibilities = ["FARGATE"]
network_mode = "awsvpc"
cpu = "512"
memory = "1024"
# Task role - for runtime permissions (SSM, Secrets Manager, ECS TagResource)
task_role_arn = aws_iam_role.container_security_role.arn
# Execution role - for pulling images and writing logs
execution_role_arn = var.execution_role_arn
# Required for Vision One Container Security
pid_mode = "task"
volume { name = "trendmicro-component" }
container_definitions = jsonencode([
# Your application container
{
name = "your-app"
image = "your-app-image:tag"
essential = true
# Application must depend on security container and have SYS_PTRACE capability
dependsOn = [{ condition = "START", containerName = "trendmicro-security" }]
linuxParameters = { capabilities = { add = ["SYS_PTRACE"] } }
logConfiguration = {
logDriver = "awslogs",
options = {
"awslogs-group" = var.log_group,
"awslogs-create-group" = "true",
"awslogs-region" = data.aws_region.current.id,
"awslogs-stream-prefix" = "ecs"
}
}
},
# Vision One Container Security: Init container for PDIG
{
name = "trendmicro-init-pdig"
image = "public.ecr.aws/trendmicro/container-security/cloud-pdig:<CloudPdigVersion>"
essential = false
user = "0" # Required for FIPS images - runs as root to write to shared volume
entryPoint = ["/bin/sh"]
command = ["-c", "set -e; attempt=0; until [ $attempt -ge 3 ]; do attempt=$((attempt+1)); if timeout 30 sh -c 'cp -fv /usr/bin/pdig /var/TrendMicro/ && cp -fv /*.sh /var/TrendMicro/'; then exit 0; fi; sleep 2; done; exit 1"]
mountPoints = [{ sourceVolume = "trendmicro-component", containerPath = "/var/TrendMicro/" }]
logConfiguration = {
logDriver = "awslogs",
options = {
"awslogs-group" = var.log_group,
"awslogs-create-group" = "true",
"awslogs-region" = data.aws_region.current.id,
"awslogs-stream-prefix" = "ecs"
}
}
},
# Vision One Container Security: Init container for Scout
{
name = "trendmicro-init-scout"
image = "public.ecr.aws/trendmicro/container-security/cloud-scout:<CloudScoutVersion>"
essential = false
user = "0" # Required for FIPS images - runs as root to write to shared volume
entryPoint = ["/bin/sh"]
command = ["-c", "set -e; attempt=0; until [ $attempt -ge 3 ]; do attempt=$((attempt+1)); if timeout 30 sh -c 'cp -fv /*.sh /var/TrendMicro/ && cp -fv /service /var/TrendMicro/ && cp -fv /ecs_entry /var/TrendMicro/ && cp -fv /MQTT_config.yaml /var/TrendMicro/ && chmod -v 755 /var/TrendMicro/*.sh'; then exit 0; fi; sleep 2; done; exit 1"]
mountPoints = [{ sourceVolume = "trendmicro-component", containerPath = "/var/TrendMicro/" }]
dependsOn = [{ condition = "SUCCESS", containerName = "trendmicro-init-pdig" }]
logConfiguration = {
logDriver = "awslogs",
options = {
"awslogs-group" = var.log_group,
"awslogs-create-group" = "true",
"awslogs-region" = data.aws_region.current.id,
"awslogs-stream-prefix" = "ecs"
}
}
},
# Vision One Container Security: Runtime security container
{
name = "trendmicro-security"
image = "public.ecr.aws/trendmicro/container-security/cloud-falco:<CloudFalcoVersion>"
essential = false
user = "0" # Required - runs as root for PDIG and Falco operations
entryPoint = ["/bin/sh"]
command = ["-c", "cp -f /var/TrendMicro/* / && /start_ecs_fargate.sh"]
# Environment variables - adjust VISION_ONE_ENDPOINT for your region
environment = [
{ name = "PARAMETER_PREFIX", value = "/V1CS" },
{ name = "SPC_MODE", value = "false" },
{ name = "FILE_INTEGRITY_MONITORING", value = "true" },
{ name = "VISION_ONE_ENDPOINT", value = "<VISION_ONE_ENDPOINT>" },
{ name = "LOG_LEVEL", value = "info" }
]
dependsOn = [
{ condition = "SUCCESS", containerName = "trendmicro-init-pdig" },
{ condition = "SUCCESS", containerName = "trendmicro-init-scout" }
]
mountPoints = [{ sourceVolume = "trendmicro-component", containerPath = "/var/TrendMicro/", readOnly = true }]
linuxParameters = { capabilities = { add = ["SYS_PTRACE"] } }
# Health check ensures security components are running properly
healthCheck = {
command = ["CMD-SHELL", "pgrep -f falco >/dev/null && pgrep -f '/service.*grpc-socket-path' >/dev/null || exit 1"]
interval = 30
timeout = 5
retries = 3
startPeriod = 60
}
logConfiguration = {
logDriver = "awslogs",
options = {
"awslogs-group" = var.log_group,
"awslogs-create-group" = "true",
"awslogs-region" = data.aws_region.current.id,
"awslogs-stream-prefix" = "ecs"
}
}
}
])
}
# IAM role for the task
resource "aws_iam_role" "container_security_role" {
name = "container-security-task-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole",
Effect = "Allow",
Principal = { Service = "ecs-tasks.amazonaws.com" }
}]
})
}
# IAM policy with required permissions for Vision One Container Security
resource "aws_iam_role_policy" "container_security_role_policy" {
name = "container-security-task-role-policy"
role = aws_iam_role.container_security_role.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = "ssm:GetParameter"
Resource = "arn:aws:ssm:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:parameter/V1CS/*"
},
{
Effect = "Allow"
Action = "secretsmanager:GetSecretValue"
Resource = "arn:aws:secretsmanager:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:secret:/V1CS/${var.cluster_name}/AuthToken-*"
},
{
Effect = "Allow"
Action = "ecs:TagResource"
Resource = "arn:aws:ecs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:task/*"
},
{
Effect = "Allow"
Action = "sqs:SendMessage",
Resource = "arn:aws:sqs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:trendmicro-container-security-*"
}
]
})
}
步驟 4:部署並驗證
-
套用 Terraform 配置:
terraform plan terraform apply
-
在 AWS ECS 主控台中驗證任務定義是否正確建立。
-
使用此任務定義部署服務。
-
檢查 CloudWatch Logs 以確認所有容器成功啟動。
-
在 TrendAI Vision One™ 主控台中確認工作負載是否出現並且安全事件是否正在被收集。
重要資訊
解除安裝前:在計劃解除安裝 Container Security 時,請先取消修補任務定義。這樣可以防止潛在的應用程式崩潰。
版本更新:容器映像版本和配置設定可能會在不同版本之間變更。建議檢查最新的 CloudFormation 範本以獲取當前需求。
更新過程:在更新至新版本時,下載最新的模板,使用新映像版本更新任務定義,在非生產環境中測試,然後部署到生產環境。