Runtime defense for AWS Fargate

App Embedded Defenders monitor your Fargate tasks to ensure they execute as designed, protecting tasks from running suspicious processes or making suspicious network connections.
Policies let you define:
  • Allow process activity. Enables verification of launched processes against policy.
  • Allow networking activity. Enables verification of domain name resolution, and inbound and outbound network connections.
Besides runtime policy, you can also configure the CNAF application firewall to protect front-end Fargate containers.

Securing Fargate tasks

To secure a Fargate task, embed the Prisma Cloud Fargate Defender into it. The steps are:
  1. Define your policy in Prisma Cloud Console.
  2. Embed the Fargate Defender into your task definition.
  3. Start the service.

Sample task

You can use the following sample task definition to test Prisma Cloud’s Fargate Defender. The associated container includes an
entry.sh
script that runs
mkdir
and then makes various outbound network requests to
yahoo.com
and
google.com
using
wget
. It then sleeps for 5 minutes and exits.
{ "requiresCompatibilities": [ "FARGATE" ], "containerDefinitions": [ { "entryPoint": [ "entry.sh" ], "portMappings": [], "command": null, "image": "matthewabq/twistlock-fargate-auto", "name": "twistlock-fargate-task" } ], "family": "twistlock-fargate-task", "volumes": [], "networkMode": "awsvpc", "memory": "512", "cpu": "256" }
Your task definition must including matching
entrypoint
and
cmd
parameters from the Dockerfile(s) of the image(s) in your task. Because Prisma Cloud does not see the actual images as part of the embedding flow, it depends on having these parameter present to reliably insert Defender into the task startup flow. If your Dockerfile does not include an
entrypoint
parameter, a default one, such as
/bin/sh
, must be used in the task definition. However, because the
cmd
parameter is optional, if your Dockerfile does not include a
cmd
parameter, one is not required in the task definition.

Defining your policy

Add runtime protection for your Fargate task by defining a runtime rule for it in Prisma Cloud Console.
By default, there are no rules in the Fargate runtime policy. Fargate Defenders dynamically retrieve policies from Console as they are updated. You can embed Fargate Defender into a task with empty or very simple initial policies, and refine them as needed later.
This procedure demonstrates how to block the sample task from executing a new process and establishing outbound network connections. You will create a new rule that prevents
mkdir
from running in the container named
twistlock-fargate-task
, and blocks outbound network requests to
yahoo.com
. If you’ve got your own task, configure the rule to meet your own specific objectives. By default, new rules apply to all images and containers (
*
), but you can target them to specific images or containers using pattern matching.
  1. Log into Prisma Cloud Console.
  2. Go to
    Defend > Runtime > App Embedded Policy
    .
  3. Click
    Add rule
    .
    1. Enter a rule name.
    2. By default, the rule applies to all images and all containers.
      Target the rule to specific images or containers. A task definition declares the container name in the containerDefinitions→name field.
    3. Click the
      Processes
      tab.
    4. Set
      Effect
      to
      Prevent
      .
    5. Click the
      Networking
      tab.
    6. Set
      Effect
      to
      Prevent
      .
    7. Click
      Save
      .

Embedding the Fargate Defender

Prisma Cloud cleanly separates the code developers produce from the Fargate containers we protect. Developers don’t need to change their code to accommodate Prisma Cloud. They don’t need to load any special libraries, add any files, or change any manifests. When a container is ready to be deployed to test or production, run your task definition through a transform tool to automatically embed the Fargate Defender, then load the new task definition into AWS.
The method for embedding the Fargate Defender was designed to seamlessly integrate into the CI/CD pipeline. You can call the Prisma Cloud API to embed the Fargate Defender into your task definition. Documentation for these API endpoints will be available shortly. See Jenkins Fargate example on how to integrate this process into a Jenkins Pipeline build.
  1. Log into Prisma Cloud Console.
  2. Go to
    Manage > Defenders > Deploy
    .
  3. In the first drop-down menu (1a), select the name or IP address Fargate Defender can use to connect to Console.
    A list of IP addresses and hostnames are pre-populated in the drop-down list. If none of the items are valid, select the
    Names
    tab and add a new subject alternative name (SAN) using
    Add SAN
    button. After adding a SAN, your IP address or hostname will be available in the drop-down list in the *Deploy" tab.
    Selecting an IP address in a evaluation setup is acceptable, but using a DNS name is more resilient. If you select Console’s IP address, and Console’s IP address changes, your Defenders will no longer be able to communicate with Console.
  4. In the second drop-down list (1b), select the
    Defender type
    of
    App Embedded
    .
  5. In
    Deployment type
    , select
    Fargate Task
    .
  6. Embed the Fargate Defender into your task definition.
    1. Copy and paste your task definition into the left-hand box.
    2. Click
      Generate Protected Task
      . A new task definition with the Fargate Defender is generated.
    3. Copy the new task definition from right-hand box.

Creating a task definition in AWS

Create a new task definition in AWS with the output from the previous section. If you already have an existing task definition, create a new revision.
This section is geared to creating a new task definition based on the sample task.
  1. Log into the AWS Management Console.
  2. Go to
    Services > ECS
    .
  3. Click
    Task Definitions
    , then click
    Create new Task Definition
    .
    1. Select
      Fargate
      , then click
      Next step
      .
    2. Scroll to the bottom of the page, and click
      Configure via JSON
      .
    3. Delete the prepopulated JSON, then paste the JSON generated for task from the previous section.
    4. Click
      Save
      .
    5. Click
      Create
      .
    6. Click
      View task definition
      .

Testing the task

Since the container associated with your task automatically executes mkdir and wget in the
entrypoint
script, simply launch your Fargate task, wait a few minutes, then review the audits in Prisma Cloud Console.
Prerequisite:
You have already created an ECS cluster.
  1. Log into the AWS Management Console.
  2. Go to
    Services > ECS
    .
  3. Click
    Clusters
    , then select one of your clusters.
  4. Click the
    Services
    tab, then click
    Create
    .
    1. For
      Launch type
      , select
      Fargate
      .
    2. For
      Task Definition
      , select your task. If you’re using the sample task definition, select
      twistlock-fargate-task
      , and select the revision that contains the embedded Defender.
    3. For
      Service name
      , enter
      twistlock-fargate-task
      .
    4. For
      Number of tasks
      , enter
      1
      .
    5. Click
      Next step
      .
    6. Select a
      Cluster VPC
      and
      Subnets
      , then click
      Next step
      .
    7. For
      Service Auto Scaling
      , select
      Do not adjust the service’s desired count
      , then click
      Next step
      .
    8. Review your settings, then click
      Create Service
      .
  5. Validate the results.
    1. Click
      View Service
      .
      When
      Last status
      is
      Running
      , your Fargate task is running. The sample task automatically executes
      mkdir
      and
      wget
      (to google.com and yahoo.com), then exits after 5 minutes.
      fargate_running_task.png
      fargate_task_ipaddr.png
      After a short time has passed, audits appear in Prisma Cloud Console. To review them, go to
      Monitor > Events > App Embedded Audits
      . You should see audits with the following messages:
      DNS resolution of suspicious name yahoo.com
      /bin/mkdir launched from /bin/dash and is explicitly blocked in the runtime rule. Full command: mkdir test

CNAF For Fargate

All the capabilities of standard CNAF are available for Fargate tasks. The only difference is that Fargate Defenders run as a reverse proxies to all other containers in the task. As such, when you set up CNAF for Fargate, you must specify the exposed external port where Fargate Defender can listen, and the port (not exposed to the Internet) where your web application listens. CNAF for Fargate forwards the filtered traffic to your application port -
unless an attack is detected and you chose
Prevent
in your CNAF for Fargate rule
.
For more information on the type of attacks that Prisma Cloud detects and prevents, see Prisma Cloud CNAF.
To add an application firewall to a Fargate based web container:
  1. Embed the Fargate Defender into your web container’s Fargate task.
    You can utilize the same sample Fargate task with one change: replace image
    matthewabq/twistlock-fargate-auto
    with
    httpd:2.4
    . The
    httpd:2.4
    image is an Apache web container listening on default port 80.
  2. Add a rule to protect your Fargate web container.
    1. Go to
      Defend > Firewalls > CNAF for Fargate
      and click
      Add rule
      .
    2. Enter a rule name and select the desired protections, such as
      SQLiAttack protection
      .
    3. Select
      Alert
      or
      Prevent
      .
    4. Enter a port number for the
      External Port
      , then enter one for the web container
      Application Port
      . Typically this is 80 for HTTP and 443 for HTTPS). For this example, enter
      8080
      for the
      External Port
      and
      80
      for the
      Application Port
      .
    5. Enter your Fargate task name Wildcards are allowed, but do NOT include the task version.
    6. Click
      Save
      .
      fargate_cnaf_rule.png
      All traffic to your Fargate web container will now be examined and protected by the embedded Fargate Defender.
  3. Test your Fargate CNAF protected task.
    1. Run your protected web application Fargate task.
      Before launching your Prisma Cloud protected Fargate task, modify the security group’s inbound rules to permit TCP connections on the exposed port (8080) that you entered in the Fargate CNAF rule. This is the external port that allows you to access your web container. The security group’s inbound rules can be modified while the task is running. To disable CNAF protection, disable the CNAF rule, and re-expose the application’s real port by modifying the security group’s inbound rule.
    2. Access your Fargate web container by browsing to the public IP address of your container. Specify the external port as defined in your CNAF rule and security group.
    3. Test SQLi attack protection by running the following curl command:
      curl -o reply.html -H 'Content-Type: application/json' -X POST \ -d '{"-1+union+all+select+1,group_concat(user,0x3a,file_priv),3,4+from+mysql.user--"}' \ http://<public ip of fargate container>:8080
      The command should return a
      reply.html
      file that states the request was blocked by Prisma Cloud. There will also be an audit in Prisma Cloud Console at
      Monitor > Events > CNAF for App Embedded
      .
      fargate_cnaf_audit.png

Jenkins Fargate example

Passing the Fargate task definition to your Prisma Cloud Console’s API returns the Prisma Cloud protected Fargate task definition. Use this task definition to start Prisma Cloud protected Fargate containers. This example demonstrates using the Jenkins Pipeline build process to:
  • Call the Prisma Cloud Console’s API endpoint for Fargate task creation.
  • Pass the Fargate task definition to the API.
  • Capture the returned Prisma Cloud protected Fargate task definition.
  • Save the Prisma Cloud protected Fargate task definition within the Pipeline’s archive https://<jenkins>/job/<pipeline_name>/<job#>/artifact/tw_fargate.json
In this example we have placed our simple task
fargate.json
and
Jenkinsfile
in a GitHub repository.
fargate_jenkins_repo.png
{ node { stage('Clone repository') { checkout scm } stage('Fargate Task call') { withCredentials([usernamePassword(credentialsId: 'twistlockDefenderManager', passwordVariable: 'TL_PASS', usernameVariable: 'TL_USER')]) { sh 'curl -s -k -u $TL_USER:$TL_PASS https://$TL_CONSOLE/api/v1/defenders/fargate.json?consoleaddr=$TL_CONSOLE -X POST -H "Content-Type:application/json" --data-binary "@fargate.json" | jq . > tw_fargate.json' sh 'cat tw_fargate.json' } } stage('Publish Function') { archiveArtifacts artifacts: 'tw_fargate.json'} } }
  1. Create an account in Prisma Cloud with the Defender Manager role.
  2. Create a Jenkins username/password credential for this account called
    twistlockDefenderManager
    .
  3. The
    $TL_Console
    Jenkins global variable was defined when the Prisma Cloud Jenkins plugin was installed.
  4. Create a Jenkins Pipeline
    1. Definition:
      Pipeline script from SCM
    2. SCM:
      Git
    3. Repository URL: <path to repository that contains both the Jenkinsfile and fargate.json>
    4. Credentials: <credentials for repository>
    5. Script path:
      Jenkinsfile
    6. Save
  5. Run
    Build Now
    fargate_jenkins_stage.png
  6. The tw_fagate.json file will be within the archive of this build https://<jenkins>/job/<pipeline_name>/<job#>/artifact/tw_fargate.json
    fargate_jenkins_archive.png

Recommended For You