Setting up connected Amazon ECS Fargate clusters

Views:

Container Security supports protection on connected Amazon ECS Fargate containers

Important

You must connect your Amazon ECS cluster that hosts the Fargate container before proceeding.

You can manually deploy Container Security along with AWS Fargate to your Amazon ECS container. When deploying Container Security, you should be aware of the following:

The container must have internet access.
Container Security uses ptrace to inspect the containers. If you are also using ptrace, the monitoring may not function correctly.
Container Security enables pidMode in the task definition. Enabling pidMode results in only one ECS Exec session per task. For more information, see Using Amazon ECS Exec for debugging.
Container Security on Fargate requires a minimum of 1 vCPU (1024 CPU units) and 512MiB memory. Follow the AWS task size table to determine the appropriate task size for running Container Security and workloads on Fargate.
Trend recommends that you input the task definition using the AWS CLI instead of using the CloudFormation template.

Procedure

In the Trend Vision One console, go to Cloud Security → Container Security → Container Inventory.
In the tree, click Amazon ECS, locate and click the Fargate cluster in the list.
Turn on Runtime Security.
In another browser tab, sign in to the AWS account that hosts the cluster..

Important

The following AWS instructions and screen captures were valid as of March 25, 2024. For further help, check your AWS documentation.
Configure an Identity and Access Management (IAM) policy that permits Container Security access to your Fargate container.
1. Search for and go to the IAM settings in AWS.
2. Click Policies and Create policy.
3. Click JSON, provide the following code, and click Next.
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameter"
            ],
            "Resource": "arn:aws:ssm:${Region}:${Account}:parameter/V1CS/*"
        }
    ]
}
```
  Where:
  - $(Region) - The region where the Fargate container is hosted (for example, us-east-1)
  - $Account) - The AWS account that manages the Fargate container
4. Specify a unique Policy name (for example: ContainerSecurityIAMPolicy) and click Create policy.
Configure an Identity and Access Management (IAM) role using the newly-created policy (in the example: ContainerSecurityIAMPolicy).
1. In AWS Identity and Access Management (IAM), click Roles and click Create role.
2. In the Select trusted entity screen, set the following and click Next.
  - Trusted entity type: AWS service
  - Service or use case: Elastic Container Service
  - Use case: Elastic Container Service Task
3. In the Add permissions screen, locate and select the Container Security policy you created (ContainerSecurityIAMPolicy) , and click Next.
4. In the Name, review, and create screen, provide a unique name for the role (for example, ContainerSecurityRole) and click Create role.
Configure an Amazon Elastic Container Service task definition using the newly-created role (in the example: ContainerSecurityRole).
1. Search for and go to the Amazon Elastic Container Service settings in AWS.
2. Click Task definitions and Create new task definition → Create new task definition.
3. In the Create new task definition screen, configure the following settings:
  - Task definition family name: A unique name for the new task definition (for example, ContainerSecurityTaskDefinition
  - Task role: The Container Security role you created (ContainerSecurityRole)
  - Container settings: Specify a container name and the Image URI for the Fargate container that you want Container Security to protect
4. Click Create.
5. Back on the Task definitions table, click the task definition you just created (ContainerSecurityTaskDefinition) and click the latest revision.
6. Click the JSON tab and click Download JSON.
Download the latest Trend Micro Fargate tools container image from:
https://hub.docker.com/r/trendmicrocloudone/ecs-taskdef-patcher/tags

Run the patching tool locally or as part of your CICD process to patch your ECS Task Definition before uploading to ECS and running.

This adds the runtime security application to your ECS task definition. When you run your ECS task, it executes the runtime security application along with your task.

Example 1: Input from file and output to file.

docker run -ti \
  -v <inputfile_path>:/mnt/input \
  -v <outputfile_path>:/mnt/output \
  trendmicrocloudone/ecs-taskdef-patcher:x.y.z \
  -i /mnt/input/<inputfile_name> \
  -o /mnt/output/<outputfile_name>

Example 2: Input from STDIN and output to STDOUT, and set proxy to http://10.10.10.10:8080

cat input_file.json | docker run -ti --rm \
  trendmicrocloudone/ecs-taskdef-patcher:x.y.z -p http://10.10.10.10:8080

Explanation of execution flags

Flag	Value	Default	Description
-i	path/inputfile.name	STDIN	Input file name and path, default is STDIN
-o	path/outputfile.name	STDOUT	Output file name and path, default is STDOUT
-t	json, cloudformation	JSON	Input and output format, default is json. TheCloudFormation template supports JSON and YAML, but only accepts input from file whose default output format is YAML.
-p	http(s)://proxy.fqdn.or.ip:port	No proxy	Proxy settings for Scout to connect to Container Security
-scout-image	registry/scout@sha254:xxx	trendmicrocloudone/scout@sha256:xxx	Scout image location
-falco-image	registry/falco@sha254:xxx	trendmicrocloudone/falco@sha256:xxx	Falco image location
-pdig-image	registry/pdig@sha254:xxx	trendmicrocloudone/pdig@sha256:xxx	pdig image location

Upload and launch your modified ECS Task Definition.

Important

Once you have launched the modified ECS Task Definition file, Runtime Security becomes active. Because Runtime Security is controlled by the task definition file, Container Security cannot verify the status of the feature. The Container Security console may not accurately reflect the status of Runtime Security if you change the task definitions in the future.