Install Distributed Cloud AIP Container Security Monitoring for AWS Fargate ECS

This article explains how to install and run F5 Distributed Cloud App Infrastructure Protection (AIP) Container Security Monitoring for AWS Fargate.

Store the Distributed Cloud AIP Deployment Key

Overview

This section covers the steps needed to store a Distributed Cloud AIP deployment key in the AWS Systems Manager Parameter Store as an encrypted string.

Prerequisites

  • AWS administrator account
  • Distributed Cloud AIP account
  • Your Distributed Cloud AIP organization’s deployment key, found here.

Procedure

  1. Log into the AWS console as administrator.
  2. In the AWS services section, in the Find Services field, type “Systems” and select “Systems Manager”. The Systems Manager page displays.

    FindServicesField.png 

  3. In the left navigation pane, in the Application Management section, click Parameter Store. The Parameters page displays.AWSSystemsManager.png
  4. Click the Create parameter button. The Parameter details screen displays.

    ParametersPage.png

  5. In the Name field, enter a name for the deployment key. We recommend using a name that matches your organization’s naming conventions.
  6. In the Tier section, select the Advanced radio button.
  7. In the Type section, select the SecureString radio button.
  8. In the Value field, type or copy and paste your Distributed Cloud AIP organization’s deployment key.
  9. Click the Create Parameter button. You return to the Parameters page and your Distributed Cloud AIP organization’s deployment key is now stored in the AWS Systems Manager Store as an encrypted string.

    ParameterDetails.png

Deploy the Distributed Cloud AIP Fargate Agent

Overview

This method enables you to deploy Distributed Cloud AIP Container Security Monitoring for AWS Fargate to monitor your AWS Fargate infrastructure.

Prerequisites

  • AWS administrator account
  • Distributed Cloud AIP account
  • Access to the Distributed Cloud AIP Docker registry
Download Distributed Cloud AIP Container Security Monitoring for AWS Fargate Docker Image

Note

You must download the appropriate image for the operating system (OS) architecture you are running.

    1. In the threatstack/ts-hostless registry, run the following command to log into Docker:
      $ docker login docker.io
    2. Run the following command to pull the Distributed Cloud AIP Container Security Monitoring for AWS Fargate image:
      docker pull --platform linux/amd64 threatstack/ts-hostless:latest

Note

The latest tag always points to the most recent Distributed Cloud AIP Container Security Monitoring for AWS Fargate image.

Add Distributed Cloud AIP Docker Image to AWS ECR Repository
Add Distributed Cloud AIP Container Security Monitoring for AWS Fargate to Existing Fargate Task Definition

Overview

The instructions below cover the process of adding Distributed Cloud AIP Container Security Monitoring for AWS Fargate to an existing Fargate task definition. Distributed Cloud AIP Container Security Monitoring for AWS Fargate consists of an Agent sidecar container, which is added to the task, and a sensor process that runs within each monitored application container to report process activity.

Note

These steps might vary slightly based on your environment.

Prerequisites

  • AWS administrator account
  • AWS Fargate Task definition(s)
  • Distributed Cloud AIP account
Procedure: Find Container Image URI

Follow these instructions to copy the AWS Container Image URI, so the Distributed Cloud AIP Container Security Monitoring for AWS Fargate sidecar is added to the correct image.

  1. Log into the AWS console as administrator.
  2. In the AWS services section, in the Find Services field, type “ECS” and select “Elastic Container Service”.

    FindServicesField.png

    The Clusters page displays.

    ClustersPage.png

  3. In the left navigation pane, click the Repositories link.

    RepositoriesLink.png

    The Repositories screen displays.

    RepositoriesScreen.png

  4. Next to the URI of the AWS image to which you want to deploy the Distributed Cloud AIP Fargate Agent, click the Copy button. The URI copies.
Procedure: Revise Existing Task Definition for Distributed Cloud AIP Fargate Agent Sidecar

Follow these instructions to revise your Fargate task definition(s) to include the Distributed Cloud AIP Container Security Monitoring for AWS Fargate sidecar.

To configure your task using JSON, see Configure Fargate Task Definition with JSON Templates.

  1. Log into the AWS console as administrator.
  2. In the AWS services section, in the Find Services field, type “ECS” and select “Elastic Container Service”.

    FindServicesField.png

    The Clusters page displays.

    ClustersPage.png

  3. In the left navigation pane, click the Task Definitions link.

    TaskDefinitionsLink.png

    The Task Definitions page displays.

    TaskDefinitionsPage.png

  4. From the list of available task definitions, click the name of the task definition to which to add the Distributed Cloud AIP Container Security Monitoring for AWS Fargate sidecar. The Task Definition Name: [name] screen displays.

    TaskDefinitionName-Name.png

  5. Click the name of the most recent revision of the selected task definition. The Task Definition Name: [name] [revision number] screen displays.

    TaskDefinitionName-NameRevision.png

  6. Click the Create new revision button. The Create new revision of Task Definition page displays.

    CreateNewRevisionTaskDefinition.png

  7. Update the the following fields in the task definition to work with the Distributed Cloud AIP Container Security Monitoring for AWS Fargate:
    1. In the Task Definition Name field, change the name of the task definition. Distributed Cloud AIP recommends following your organization’s naming conventions.
    2. From the Task Role drop-down menu, select the role for the revised task definition.

      Important

      If the specified task role does not have permissions to retrieve the Distributed Cloud AIP deployment key from the AWS Systems Manager Parameter Store, then the Distributed Cloud AIP Container Security Monitoring for AWS Fargate will fail immediately on creation.

    3. From the Network Mode drop-down menu, select the network for the revised task definition.
    4. In the Requires compatibilities section, select the FARGATE checkbox.
  8. In the Container Definitions section, click the Add container button.

    ContainerDefinitionsSection.png

    The Add container dialog displays.

    AddContainerDialog.png

  9. In the Container name field, type a name for the Distributed Cloud AIP Container Security Monitoring for AWS Fargate sidecar. Distributed Cloud AIP recommends you follow your organization’s naming conventions.
  10. In the Image field, type the uniform resource identifier (URI) of the Distributed Cloud AIP Container Security Monitoring for AWS Fargate image you want to use. This information is available from the image you pulled from DockerHub.
  11. From the Memory Limits (MiB) drop-down menu, ensure Soft Limit is selected.
  12. In the memory limit size field, enter a memory limit. Ensure this value is compatible with the limit entered in the task definition. We recommend 1024 MiB.
  13. In the Environment section, enter the following information:

    EnvironmentSection.png

    1. In the CPU units field, type the number of CPU units to reserve for the container. We recommend “256”.
    2. Optionally, in the GPUs field, type the number of GPU units to reserve for the container.
    3. Ensure the Essential checkbox is selected.
    4. In the Entry point field, type /bin/agent.
    5. In the Command field, type the following commands:
      • --hostname – This required option sets the name for the Agent in the Distributed Cloud AIP user interface (UI). For more information, see AWS Fargate Commands.
      • --ruleset_names or --ruleset_ids – This required option applies specific Distributed Cloud AIP ruleset(s) to Distributed Cloud AIP Container Security Monitoring for AWS Fargate. For more information, see AWS Fargate Commands.

      Note

      You must insert commas between each argument. For example:
      --hostname=example-task-name,--ruleset_names="Fargate Rule Set"

    6. In the Working directory field, type the working directory for running binaries within your container.
    7. In the Add key field, type TS_HOSTLESS_DEPLOYMENT.
    8. From the Value drop-down menu, select ValueFrom for the environment variable.
    9. In the Add value field, paste the URI of the parameter from the parameter store, which you copied in step 4 of the previous section.

      Note

      The deployment key is stored in the AWS System Manager Parameter Store as an encrypted string. The URI for this parameter is listed in the following format:

      arn:aws:ssm:[AWS region]:[account number]:parameter/[parameter name]
      • Replace [AWS region] with the region of your AWS environment.
      • Replace [account number] with the account number associated with your AWS environment.
      • Replace [parameter name] with the name listed in the AWS System Manager Parameter Store.
  14. Click the Add button. You return to the Task Definition Name: [name] [revision number] screen and the Distributed Cloud AIP Container Security Monitoring for AWS Fargate sidecar container is now part of the task definition.
Procedure: Mount Distributed Cloud AIP Fargate Agent Sidecar in Containers

Follow these instructions to mount the Distributed Cloud AIP Container Security Monitoring for AWS Fargate sidecar in your containers.

  1. Log into the AWS console as administrator.
  2. In the AWS services section, in the Find Services field, type “ECS” and select “Elastic Container Service”.

    FindServicesField.png

    The Clusters page displays.

    ClustersPage.png

  3. In the left navigation pane, click the Task Definitions link.

    TaskDefinitionsLink.png

    The Task Definitions page displays.

    TaskDefinitionsPage.png

  4. From the list of available task definitions, click the name of the task definition to which to add the Distributed Cloud AIP Container Security Monitoring for AWS Fargate sidecar. The Task Definition Name: [name] screen displays.

    TaskDefinitionName-Name.png

  5. Click the name of the most recent revision of the selected task definition. The Task Definition Name: [name] [revision number] screen displays.

    TaskDefinitionName-NameRevision.png

  6. Click the Create new revision button. The Create new revision of Task Definition screen displays.

    CreateNewRevisionTaskDefinition.png

  7. In the Container Definitions section, click the container name on which to mount the binary.

    ContainerDefinitionsSection.png

    The Edit container dialog displays.

    EditContainerDialog.png

  8. In the Environment section, in the Command field, add the following command for the mounted sensor executable:
    /bin/mountedSensor/sensor & [container command]

    Replace [container command] with the command for the container.

    Example:

    /bin/mountedSensor/sensor & ngnix -g 'daemon off;'

    EnvironmentFargate.png

  9. In the Storage and Logging section, click the Add volumes link.

    StorageAndLoggingSection.png

    Additional fields display.

    AdditionalFields.png

  10. In the Source container field, type the name of the Distributed Cloud AIP Fargate Agent sidecar container.
  11. Click the Update button. The Edit Container dialog closes and you return to the Create new revision of Task Definition screen. The Distributed Cloud AIP Fargate Agent will now mount as a binary sidecar in the task definition.
  12. Click the Create button.

    CreateButton.png

    You return to the Task Definition Name: [name] page and the newest task definition revision displays in the task definition revision list.

Run Distributed Cloud AIP Fargate Agent Task

Overview

Remember to run the Distributed Cloud AIP Container Security Monitoring for AWS Fargate task just as you would any other task in your Fargate environment.

Prerequisites

  • AWS administrator account
  • AWS Fargate task definition(s)

Procedure

  1. Log into the AWS console as administrator.
  2. In the AWS services section, in the Find Services field, type “ECS” and select “Elastic Container Service”.


    FindServicesField.png

    The Clusters page displays.

    ClustersPage.png

  3. For the cluster on which you want to run the task definition for the Distributed Cloud AIP Container Security Monitoring for AWS Fargate, click the cluster name.


    ClickClusterName.png

    The Cluster: [cluster name] page displays.

    Cluster-ClusterNamePage.png

  4. Click the Tasks tab. The Tasks screen displays.


    TasksTab.png

  5. Click the Run new Task button. The Run Task page displays.


    RunTaskPage.png

  6. In the Launch type field, select the FARGATE radio button. An additional field displays.
  7. From the Task Definition drop-down menu, select the name of a task definition, such as “ping”.
  8. From the Revision drop-down menu, select the most recent revision number of the task definition, such as "2 (latest)".
  9. From the Platform version drop-down menu, select the version for your task definition.
  10. From the Cluster drop-down menu, select the cluster that will run the task definition.
  11. In the Number of tasks field, specify the number of tasks to run.
  12. Optionally, in the Task Group field, specify a task group. If you do not use task groups, then leave the field blank.
  13. In the VPC and security groups section, enter the following information:


    VPCandSecurityGroup.png

    1. From the Cluster VPC drop-down menu, select your cluster VPC.
    2. From the Subnets drop-down menu, select your subnet.
    3. In the Security groups field, click the Edit button. The Configure security groups dialog displays


      ConfigureSecurityGroups.png

      1. In the Assigned security groups section, select the Select existing security group radio button.
      2. Select the checkbox next to the appropriate security group name.
      3. Click the Save button.
    4. Ensure the Auto-assign public IP drop-down menu value is ENABLED.
  14. Click the Run Task button.


    RunTaskButton.png

    The task successfully creates and launches in your Fargate cluster.

Was this article helpful?
0 out of 0 found this helpful