1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Install
    6. Amazon ECS
    End-of-Life (EoL)

    Amazon ECS

    This quickstart guide shows you how to deploy Prisma Cloud on a simple cluster that has a single infrastructure node and two worker nodes. Console runs on the infrastructure node, and an instance of Defender runs on each of the worker nodes.
    Console is the Prisma Cloud management interface, and it runs as a service. The parameters of the service are described in a task definition, and the task definition is written in JSON format.
    Defender protects your containerized environment according to the policies you set in Console.
    To automatically deploy an instance of Defender on each worker node in your cluster, you will use a user data script in the worker node launch configuration. User data scripts run custom configuration commands when a new instance is started. You will set up the user data script to call the Prisma Cloud API to download, install, and start Defender.
    This guide assumes you know very little about AWS ECS. As such, it is extremely prescriptive. If you are already familiar with AWS ECS and do not need assistance navigating the interface, simply read the section synopsis, which summarizes all key configurations.
    The installation described in this article is meant to be "production grade" in that data is persisted across restarts of the nodes. If an infrastructure node were to go down, ECS should be able to reschedule the Console service on any healthy node, and Console should still have access to its state. To enable this capability, you must attach storage that is accessible from each of your infrastructure nodes, and Amazon Elastic File System (EFS) is an excellent choice.
    When you have more than one infrastructure node, ECS can run Console on any one of them. Defenders need a reliable way to connect to Console, no matter where it runs. A load balancer automatically directs traffic to the the node where Console runs, and offers a stable interface that Defenders can use to connect to Console and that operators can use to access its web interface.
    We assume you are deploying Prisma Cloud to the default VPC. If you are not using the default VPC, adjust your settings accordingly.

    Key details

    There are a number of AWS resource identifiers and other details that are used throughout the install procedure. You should create a list of the following details for easy retrieval during the installation process.
    Cluster name
    : retain this after creating the ECS cluster. Default value: pc-ecs-cluster.
    Security group name
    : retain this after creating the security group. Default value: pc-security-group.
    Mount command for console EFS
    : retain this after creating an EFS for the console.
    Mount command for defender EFS
    : retain this after creating an EFS for the defender.
    Load Balancer DNS name
    : retain this after creating a load balancer.
    Access Token
    : Access token for Prisma Cloud.
    License Key
    : License key for Prisma Cloud.
    Version
    : The version of Prisma Cloud you are deploying, for example 20_04_169
    Infrastructure node’s public DNS
    : retain this after creating an autoscaling group for your infrastructure nodes.

    Download the Prisma Cloud software

    The Prisma Cloud release tarball contains all the release artifacts.
    1. Go to the Releases page, and copy the link to current recommended release.
    2. Retrieve the release tarball.
      $ wget <LINK_TO_CURRENT_RECOMMENDED_RELEASE_LINK>
    3. Unpack the Prisma Cloud release tarball.
      $ mkdir twistlock
$ tar xvzf prisma_cloud_compute_edition_<VERSION>.tar.gz  -C twistlock/

    Create a cluster

    Create an empty cluster named pc-ecs-cluster. Later, you will create launch configurations and auto-scaling groups to start EC2 instances in the cluster.
    1. Log into the AWS Management Console.
    2. Go to
      Services > Containers > Elastic Container Service
      .
    3. Click
      Create Cluster
      .
    4. Select
      EC2 Linux + Networking
      , then click
      Next Step
      .
    5. Enter a cluster name, such as
      pc-ecs-cluster
      .
    6. Select
      Create an empty cluster
      .
    7. Click
      Create
      .

    Create a security group

    Create a new security group named pc-security-group that opens ports 8083 and 8084. In order for Prisma Cloud to operate properly, these ports must be open. This security group will be associated with the EC2 instances started in your cluster.
    Console’s web interface and API are served on port 8083. Defender and Console communicate over a secure web socket on port 8084.
    Inbound connection to port 2049 is required to setup the NFS.
    Open port 22 so that you can SSH to any machine in the cluster.
    Additional hardening can be performed as desired for the below roles. For example, limiting access to port 22 only to source IPs from which you would connect to your instances via SSH.
    1. Go to
      Services > Compute > EC2
      .
    2. In the left menu, click
      NETWORK & SECURITY > Security Groups
      .
    3. Click
      Create Security Group
      .
    4. In
      Security group name
      , enter a name, such as
      pc-security-group
      .
    5. In
      Description
      , enter
      Prisma Cloud ports
      .
    6. In
      VPC
      , select your default VPC.
    7. Under the
      Inbound rules
       section, click
      Add Rule
      .
      1. Under
        Type
        , select
        Custom TCP
        .
      2. Under
        Port Range
        , enter
        8083-8084
        .
      3. Under
        Source
        , select
        Anywhere
        .
    8. Click
      Add Rule
      .
      1. Under
        Type
        , select
        Custom TCP
        .
      2. Under
        Port Range
        , enter
        2049
        .
      3. Under
        Source
        , select
        Anywhere
        .
    9. Click
      Add Rule
      .
      1. Under
        Type
        , select
        SSH
        .
      2. Under
        Source
        , select
        Anywhere
        .
    10. Click
      Create security group
      .

    Create an EFS file system for Console

    Create the Console EFS file system, then capture the mount command that will be used to mount the file system on every infrastructure node.
    Prerequisites:
    Prisma Cloud Console depends on an EFS file system with the following performance characteristics:
    • Performance mode:
       General purpose.
    • Throughput mode:
       Provisioned. Provision 0.1 MiB/s per deployed Defender. For example, if you plan to deploy 10 Defenders, provision 1 MiB/s of throughput.
    The EFS file system and ECS cluster must be in the same VPC and security group.
    1. Log into the AWS Management Console.
    2. Go to
      Services > Storage > EFS
      .
    3. Click
      Create File System
      .
    4. Select a VPC, select the
      pc-security-group
       for each mount target, then click
      Next Step
      .
    5. Enter a value for Name, such as
      pc-efs-console
    6. Set your throughput mode to
      Provisioned
      , and adjust Throughput to 0.1 MiB/s per Defender that would be deployed. Click
      Next Step
      .
    7. For
      Configure client access
      , keep the default settings and click
      Next Step
      .
    8. Review your settings and select
      Create File System
      .
    9. Click on the
      Amazon EC2 mount instructions (from local VPC)
       link and copy the mount command (Using the NFS client) and set it aside as the Console mount command.
      You will use this mount command to configure your launch configuration for the Console.

    Create EFS file system for Defender

    Create the Defender EFS file system, then capture the mount command that will be used to mount the file system on every worker node.
    The EFS file system and ECS cluster must be in the same VPC and security group.
    1. Log into the AWS Management Console.
    2. Go to
      Services > Storage > EFS
      .
    3. Click
      Create File System
      .
    4. Select a VPC, select the
      pc-security-group
       for each mount target, then click
      Next Step
      .
    5. Enter a value for Name, such as
      pc-efs-defender
      , then click
      Next Step
      .
    6. For
      Configure client access
      , keep the default settings and click
      Next Step
      .
    7. Review your settings and select
      Create file system
      .
    8. Click on the
      Amazon EC2 mount instructions (from local VPC)
       link and copy the mount command (Using the NFS client) and set it aside as the Defender mount command.
      You will use this mount command to configure your launch configuration for the Defenders.

    Set up a classic load balancer

    Set up an AWS Classic Load Balancer, and capture the Load Balancer DNS name.
    You’ll create two load balancer listeners. One is used for Console’s UI and API, which are served on port 8083. Another is used for the websocket connection between Defender and Console, which is established on port 8084.
    For detailed instructions on how to create a load balancer for Console, see Configure an AWS Load Balancer for ECS.

    Deploy Console

    Launch an infrastructure node that runs in the cluster, then start Prisma Cloud Console as a service on that node.

    Create a launch configuration for the infrastructure node

    Launch configurations are templates that are used by an auto-scaling group to start EC2 instances in your cluster.
    Create a launch configuration named pc-infra-node that:
    • Creates an instance type of t2.large, or higher. For more information about Console’s minimum requirements, see System requirements.
    • Runs Amazon ECS-Optimized Amazon Linux 2 AMI.
    • Uses the ecsInstanceRole IAM role.
    • Runs a user data script that joins the pc-ecs-cluster and defines a custom attribute named purpose with a value of infra. Console will be pinned to this instance.
    1. Go to
      Services > Compute > EC2
      .
    2. In the left menu, click
      AUTO SCALING > Launch Configurations
      .
    3. Click
      Create launch configuration
      .
    4. Choose an AMI.
      1. Click
        AWS Marketplace
        .
      2. In the search box, enter
        Amazon ECS-Optimized Amazon Linux 2 AMI
        .
      3. Click
        Select
         for
        Amazon ECS-Optimized Amazon Linux 2 AMI
        .
    5. Choose an instance type.
      1. Select
        t2.large
        .
      2. Click
        Next: Configure details
        .
    6. Configure details.
      1. In
        Name
        , enter a name for your launch configuration, such as
        pc-infra-node
        .
      2. In
        IAM
         role, select
        ecsInstanceRole
        .
        If this role doesn’t exist, see Amazon ECS Container Instance IAM Role.
      3. Select
        Enabled CloudWatch detailed monitoring
        .
      4. Expand
        Advanced Details
        ,
      5. In
        User Data
        , enter the following text in order to install the NFS utilities and mount the EFS file system:
        #!/bin/bash
cat <<'EOF' >> /etc/ecs/ecs.config
ECS_CLUSTER=pc-ecs-cluster
ECS_INSTANCE_ATTRIBUTES={"purpose": "infra"}
EOF

yum install -y nfs-utils
mkdir /twistlock_console
<CONSOLE_MOUNT_COMMAND> /twistlock_console

mkdir -p /twistlock_console/var/lib/twistlock
mkdir -p /twistlock_console/var/lib/twistlock-backup
mkdir -p /twistlock_console/var/lib/twistlock-config

mkdir /twistlock_certificates
chown root:root /twistlock_certificates
chmod 700 /twistlock_certificates
<DEFENDER_MOUNT_COMMAND> /twistlock_certificates
        pc-ecs-cluster
         must match your cluster name. If you’ve named your cluster something other than
        pc-ecs-cluster
        , then modify your User Data script accordingly.
        <CONSOLE_MOUNT_COMMAND> is the Console mount command you copied from the AWS Management Console after creating your console EFS file system. The mount target must be /twistlock_console, not the efs mount target provided in the sample command.
        <DEFENDER_MOUNT_COMMAND> is the defender mount command you copied from the AWS Management Console after creating your defender EFS file system. The mount target must be /twistlock_certificates, not the efs mount target provided in the sample command.
      6. (Optional) Under
        IP Address Type
        , select
        Assign a public IP address to every instance
        .
        With this option, you can easily SSH to this instance to troubleshoot issues.
      7. Click
        Next: Add Storage
        .
    7. Add Storage.
      1. Accept the defaults, and click
        Next: Configure Security Group
        .
    8. Configure security group.
      1. Under
        Assign a security group
        , choose
        Select an existing security group
        .
      2. Select
        pc-security-group
        .
      3. Click
        Review
        .
    9. Review.
      1. Review the configuration and select
        Create launch configuration
        .
    10. Select an existing key pair, or create a new key pair so that you can access your instance.
    11. Click
      Create launch configuration
      .

    Create an auto scaling group for the infrastructure node

    Launch a single instance of the infrastructure node into your cluster.
    1. Go to
      Services > Compute > EC2
      .
    2. In the left menu, click
      AUTO SCALING > Auto Scaling Groups
      .
    3. Click
      Create Auto Scaling group
      .
      1. Select
        Launch Configuration
      2. Select
        pc-infra-node
        .
      3. Click
        Next Step
        .
    4. Configure Auto Scaling group details.
      1. In
        Group Name
        , enter pc-infra-autoscaling.
      2. Set
        Group size
         to the desired value (typically, this is a value greater than
        1
        ).
      3. Under
        Network
        , select your default VPC.
      4. Under
        Subnet
        , select a public subnet, such as 172.31.0.0/20.
      5. Click
        Next: Configure scaling policies
        .
    5. Configure scaling policies.
      1. Select
        Keep this group at its initial size
        .
      2. Click
        Next: Configure Notifications
        .
    6. Configure Notifications.
      1. Click
        Next: Configure Tags
        .
    7. Configure Tags.
      1. Under
        Key
        , enter
        Name
        .
      2. Under
        Value
        , enter
        pc-infra-node
        .
      3. Click
        Review
        .
    8. Review the configuration and click
      Create Auto Scaling Group
      .
      After the auto scaling group spins up (it will take some time), validate that your cluster has one container instance, where a container instance is the ECS vernacular for an EC2 instance that has joined the cluster and is ready to accept container workloads:
      • Go to
        Services > Containers > Elastic Container Service
        . The count for
        Container instances
         should be 1.
      • Click on the cluster, then click on the
        ECS Instances
         tab. In the status table, there should a single entry. Click on the link under the
        EC2 Instance
         column. In the details page for the EC2 instance, record the
        Public DNS
        .

    Copy the Prisma Cloud config file into place

    The Prisma Cloud API serves the version of the configuration file used to instantiate Console. Use scp to copy twistlock.cfg from the Prisma Cloud release tarball to /twistlock_console/var/lib/twistlock-config on the infrastructure node.
    1. Upload twistlock.cfg to the infrastructure node.
      1. Go to the directory where you unpacked the Prisma Cloud release tarball.
      2. Copy twistlock.cfg to the infrastructure node.
        $ scp -i <PATH-TO-KEY-FILE> twistlock.cfg ec2-user@<ECS_INFRA_NODE_DNS_NAME>:~
    2. SSH to the infrastructure node.
      $ ssh -i <PATH-TO-KEY-FILE> ec2-user@<ECS_INFRA_NODE_DNS_NAME>
    3. Copy the twistlock.cfg file into place.
      $ sudo cp twistlock.cfg /twistlock_console/var/lib/twistlock-config

    Create a Prisma Cloud Console task definition

    Prisma Cloud provides a task definition template for Console. Download the template, then update the variables specific to your environment. Finally, load the task definition in ECS.
    Prerequisites:
    • The task definition provisions sufficient resources for Console to operate. Our template specifies reasonable defaults. For more information, see System requirements.
    1. Download the Prisma Cloud Console task definition, and open it for editing.
    2. Update the value for image to point to Prisma Cloud’s cloud registry:
      Replace the following placeholder strings with the appropriate values:
      • <ACCESS-TOKEN> — Your Prisma Cloud access token. All characters must be lowercase. To convert your access token to lowercase, run:
        $ echo <ACCESS-TOKEN> | tr '[:upper:]' '[:lower:]'
      • <VERSION> — Version of the Console image to retrieve and install. For example, 18_11_128.
    3. Update <ECS_INFRA_NODE_IPADDR> to the Load Balancer DNS name.
    4. Go to
      Services > Containers > Elastic Container Service
      .
    5. In the left menu, click
      Task Definitions
      .
    6. Click
      Create new Task Definition
      .
    7. In
      Step 1: Select launch type compatibility
      , select
      EC2
      , then click
      Next step
      .
    8. In
      Step 2: Configure task and container definitions
      , scroll to the bottom of the page and click
      Configure via JSON
      .
    9. Delete the contents of the window, and replace it with the Prisma Cloud Console task definition
    10. Click
      Save
      .
      1. (Optional) Change the task definition name before creating. The JSON will default the name to
        pc-console
        .
    11. Click
      Create
      .

    Launch the Prisma Cloud Console service

    Create the Console service using the previously defined task definition. A single instance of Console will run on the infrastructure node.
    1. Go to
      Services > Containers > Elastic Container Service
      .
    2. In the left menu, click
      Clusters
      .
    3. Click on your cluster.
    4. In the
      Services
       tab, then click
      Create
      .
    5. In
      Step 1: Configure service
      :
      1. For
        Launch type
        , select
        EC2
        .
      2. For
        Task Definition
        , select
        pc-console
        .
      3. In
        Service Name
        , enter
        pc-console
        .
      4. In
        Number of tasks
        , enter
        1
        .
      5. Click
        Next Step
        .
    6. In
      Step 2: Configure network
      :
      1. For
        Load Balancer type
        , select
        Classic Load Balancer
        .
      2. For
        Service IAM role
        , leave the default
        ecsServiceRole
        .
      3. For
        Load Balancer Name
        , select previously created load balancer.
      4. Unselect
        Enable Service discovery integration
      5. click
        Next Step
        .
    7. In
      Step 3: Set Auto Scaling
      , accept the defaults, and click
      Next
      .
    8. In
      Step 4: Review
      , click
      Create Service
      .
    9. Wait for the service launch to be completed and click
      View Service
      .
    10. Wait for the service
      Last status
       to change to running (can take a few minutes) and continue to
      Configure Prisma Cloud Console
       below.

    Configure Prisma Cloud Console

    Navigate to Console’s web interface, create your first admin account, then enter your license.
    1. Start a browser, then navigate to https://<Load Balancer DNS Name>:8083
    2. At the login page, create your first admin account. Enter a username and password.
    3. Enter your license key, then click
      Register
      .

    Deploy Defender

    Launch an infrastructure node that runs in the cluster
    You are now ready to deploy your worker nodes. You will create worker nodes that runs in the cluster, an ECS Task Definition for the Prisma Cloud Defender, then create a service of type Daemon to ensure that the Defender is deployed across your ECS cluster.

    Copy Defender’s certificates into place

    Get the certificates Defender requires to securely connect to Console, and then copy them to the EFS partition that worker nodes will mount.
    1. SSH to the infrastructure node:
      $ ssh -i <PATH-TO-KEY-FILE> ec2-user@<ECS_INFRA_NODE>
    2. Retrieve the service parameter from the Prisma Cloud API.
      $ curl -k -s \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X GET \
  https://<Load Balancer DNS name>:8083/api/v1/certs/service-parameter \
  -o service-parameter
    3. Retrieve the server certificates bundle from the Prisma Cloud API, and extract the bundle to files:
      $ curl -k \
  -u <USER> \
  -X GET \
  https://<Load Balancer DNS name>:8083/api/v1/certs/server-certs.sh | sh
    4. Copy the following files to the Defender EFS file system under /twistlock_certificates:
      • service-parameter
      • ca.pem
      • client-cert.pem
      • client-key.pem
    5. Set the ownership and permissions for each file under /twistlock_certificates.
      $ sudo chown root:root ca.pem client-cert.pem client-key.pem service-parameter
$ sudo chmod 600 ca.pem client-cert.pem client-key.pem service-parameter

    Create a launch configuration for worker nodes

    Create a launch configuration named pc-worker-node that:
    • Runs the Amazon ECS-Optimized Amazon Linux 2 AMI.
    • Uses the ecsInstanceRole IAM role.
    • Runs a user data script that joins the pc-ecs-cluster and runs the commands required to install Defender.
    1. Go to
      Services > Compute > EC2
      .
    2. In the left menu, click
      AUTO SCALING > Launch Configurations
      .
    3. Click
      Create Launch Configuration
    4. Choose an AMI:
      1. Click
        AWS Marketplace
        .
      2. In the search box, enter
        Amazon ECS-Optimized Amazon Linux 2 AMI
        .
      3. Click
        Select
         for
        Amazon ECS-Optimized Amazon Linux 2 AMI
        .
    5. Choose an instance type.
      1. Select
        t2.medium
        .
      2. Click
        Next: Configure details
        .
    6. Configure details.
      1. In
        Name
        , enter a name for your launch configuration, such as
        pc-worker-node
        .
      2. In
        IAM
         role, select
        ecsInstanceRole
        .
      3. Select
        Enable CloudWatch detailed monitoring
        .
      4. Expand
        Advanced Details
        ,
      5. In
        User Data
        , enter the following text:
        #!/bin/bash
echo ECS_CLUSTER=pc-ecs-cluster >> /etc/ecs/ecs.config

yum install -y nfs-utils
mkdir /twistlock_certificates
chown root:root /twistlock_certificates
chmod 700 /twistlock_certificates
<DEFENDER_MOUNT_COMMAND> /twistlock_certificates
        Where:
        • ECS_CLUSTER must match your cluster name. If you’ve named your cluster something other than pc_ecs_cluster, then modify your User Data script accordingly.
        • <DEFENDER_MOUNT_COMMAND> is the mount command you copied from the AWS Management Console after creating your Defender EFS file system. The mount target must be /twistlock_certificates, replacing the efs mount target provided in the sample mount command.
      6. (Optional) Under
        IP Address Type
        , select
        Assign a public IP address to every instance
        .
        With this option, you can easily SSH to any worker nodes instances and troubleshoot issues.
      7. Click
        Next: Add Storage
        .
    7. Add Storage.
      • Accept the defaults, and click
        Next: Configure Security Group
        .
    8. Configure security group.
      1. Under
        Assign a security group
        , choose
        Select an existing security group
        .
      2. Select
        pc-security-group
        .
      3. Click
        Review
        .
    9. Review.
      • Review the configuration and select
        Create launch configuration
        .
    10. Select an existing key pair, or create a new key pair so that you can access your instance.

    Create an auto scaling group for the worker nodes

    Launch two worker nodes into your cluster.
    1. Go to
      Services > Compute > EC2
      .
    2. In the left menu, click
      AUTO SCALING > Auto Scaling Groups
      .
    3. Click
      Create Auto Scaling group
      :
      1. Select
        Launch Configuration
      2. Select
        pc-worker-node
        .
      3. Click
        Next Step
        .
    4. Configure Auto Scaling group details:
      1. In
        Group Name
        , enter pc-worker-autoscaling.
      2. Set
        Group size
         to
        2
        .
      3. Under
        Network
        , select your default VPC.
      4. Under
        Subnet
        , select a public subnet, such as 172.31.0.0/20.
      5. Click
        Next: Configure scaling policies
        .
    5. Configure scaling policies.
      1. Select
        Keep this group at its initial size
        .
      2. Click
        Next: Configure Notifications
        .
    6. Configure Notifications.
      1. Click
        Next: Configure Tags
        .
    7. Configure Tags.
      1. Under
        Key
        , enter
        Name
        .
      2. Under
        Value
        , enter
        pc-worker-node
        .
      3. Click
        Review
        .
    8. Review the configuration and click
      Create Auto Scaling Group
      .
    9. After the auto scaling group spins up (it will take some time), validate that your cluster has three container instances.
      1. Go to
        Services > Containers > Elastic Container Service
        .
      2. The count for
        Container instances
         in your cluster should now be a total of three.

    Create a Prisma Cloud Defender task definition

    Prisma Cloud provides a task definition template for Defender. Download the template, then update the variables specific to your environment. Finally, load the task definition in ECS.
    1. Download the Prisma Cloud Defender task definition, and open it for editing.
    2. Update the value for image to point to Prisma Cloud’s cloud registry:
      Replace the following placeholder strings with the appropriate values:
      • <ACCESS-TOKEN> — Your Prisma Cloud access token. All characters must be lowercase. To convert your access token to lowercase, run:
        $ echo <ACCESS-TOKEN> | tr '[:upper:]' '[:lower:]'
      • <VERSION> — Version of the Console image to retrieve and install. For example, 19_03_321.
      • <ELB-8084> — The DNS name for the load balancer you created.
    3. Go to
      Services > Containers > Elastic Container Service
      .
    4. In the left menu, click
      Task Definitions
      .
    5. Click
      Create new Task Definition
      .
    6. In
      Step 1: Select launch type compatibility
      , select
      EC2
      , then click
      Next step
      .
    7. In
      Step 2: Configure task and container definitions
      , scroll to the bottom of the page and click
      Configure via JSON
      .
    8. Delete the contents of the window, and replace it with the Prisma Cloud Console task definition
    9. Click
      Save
      .
      1. (Optional) Change the task definition name before creating. The JSON will default the name to
        pc-defender
        .
    10. Click
      Create
      .

    Launch the Prisma Cloud Defender service

    Create the Defender service using the previously defined task definition. Using Daemon scheduling, one Defender will run per node in your cluster.
    1. Go to
      Services > Containers > Elastic Container Service
      .
    2. In the left menu, click
      Clusters
      .
    3. Click on your cluster.
    4. In the
      Services
       tab, then click
      Create
      .
    5. In
      Step 1: Configure service
      :
      1. For
        Launch type
        , select
        EC2
        .
      2. For
        Task Definition
        , select
        pc-defender
        .
      3. In
        Service Name
        , enter
        pc-defender
        .
      4. In
        Service Type
        , select
        Daemon
        .
      5. Click
        Next Step
        .
    6. In
      Step 2: Configure network
      , accept the defaults, and click
      Next
      .
    7. In
      Step 3: Set Auto Scaling
      , accept the defaults, and click
      Next
      .
    8. In
      Step 4: Review
      , click
      Create Service
      .
    9. Click
      View Service
      .
    10. Verify that you have Defenders running on each node in your ECS cluster.
      Go to your Prisma Cloud Console and view the list of Defenders in
      Manage > Defenders > Manage
       (there should be a total for 3 defenders → one for each EC2 instance).

    Using a private registry

    For maximum control over your environment, you might want to store the Console container image in your own private registry, and then install Prisma Cloud from your private registry. When the Console service is started, ECS retrieves the image from your registry. This procedure shows you how to push the Console container image to Amazon’s Elastic Container Registry (ECR).
    Prerequisites:
    • AWS CLI is installed on your machine. It is required to push the Console image to your registry.
    1. Go to the directory where you unpacked the Prisma Cloud release tarball.
      $ cd twistlock/
    2. Load the Console image.
      $ docker load < ./twistlock_console.tar.gz
    3. Go to
      Services > Containers > Elastic Container Service
      .
    4. In the left menu, click
      Repositories
      .
    5. Click
      Create repository
      .
    6. Follow the AWS instructions for logging in to the registry, tagging the Console image, and pushing it to your repo.
      Be sure to update your Console task definition so that the value for image points to your private registry.