Deploy the App Infrastructure Protection (AIP) host-based Agent – not the containerized Agent – to secure an AWS Elastic Container Service (ECS) environment.
The AWS ECS has an orchestration layer that sits between the host and containers. The orchestration layer allows AWS to manage container instances. However, the orchestration layer does not allow access to the host kernel audit information, which prevents the AIP containerized Agent from deploying correctly. As a result, the AIP host-based Agent must be used to monitor activity in AWS ECS.
To ensure you receive container events, follow these steps:
- For Agent 1.x series: go to
/opt/threatstack/bin/cloudsight configand set
- For Agent 2.x+ series: run the
sudo tsagent config --set enable_containers 1command.