1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Runtime defense
    6. Runtime defense for AWS Fargate
    End-of-Life (EoL)

    Runtime defense for AWS Fargate

    App Embedded Defenders monitor your Fargate tasks to ensure they execute as designed, protecting tasks from running suspicious processes or making suspicious network connections.
    Policies let you define:
    • Allow process activity. Enables verification of launched processes against policy.
    • Allow networking activity. Enables verification of domain name resolution, and inbound and outbound network connections.
    Besides runtime policy, you can also configure the WAAS application firewall to protect front-end Fargate containers.

    Securing Fargate tasks

    To secure a Fargate task, embed the Prisma Cloud Fargate Defender into it. The steps are:
    1. Define your policy in Prisma Cloud Console.
    2. Embed the Fargate Defender into your task definition.
    3. Start the service.

    Defining your policy

    Add runtime protection for your Fargate task by defining a runtime rule for it in Prisma Cloud Console.
    By default, there are no rules in the Fargate runtime policy. Fargate Defenders dynamically retrieve policies from Console as they are updated. You can embed Fargate Defender into a task with empty or very simple initial policies, and refine them as needed later.
    This procedure demonstrates how to block the
    Sample task
     (in the next paragraph, from executing a new process and establishing outbound network connections. You will create a new rule that prevents mkdir from running in the container named twistlock-fargate-task, and blocks outbound network requests to yahoo.com. If you’ve got your own task, configure the rule to meet your own specific objectives. By default, new rules apply to all images and containers (*), but you can target them to specific images or containers using pattern matching.
    1. Log into Prisma Cloud Console.
    2. Go to
      Defend > Runtime > App Embedded Policy
      .
    3. Click
      Add rule
      .
      1. Enter a rule name.
      2. By default, the rule applies to all images and all containers.
        Target the rule to specific images or containers. A task definition declares the container name in the containerDefinitions→name field.
      3. Click the
        Processes
         tab.
      4. Set
        Effect
         to
        Prevent
        .
      5. Click the
        Networking
         tab.
      6. Set
        Effect
         to
        Prevent
        .
      7. Click
        Save
        .

    Sample task

    You can use the following sample task definition to test Prisma Cloud’s Fargate Defender. The associated container includes an entry.sh script that runs
    mkdir
     and then makes various outbound network requests to
    yahoo.com
     and
    google.com
     using
    wget
    . It then sleeps for 5 minutes and exits.
    {
  "requiresCompatibilities": [
      "FARGATE"
  ],
  "containerDefinitions": [
    {
      "entryPoint": [ "entry.sh" ],
      "portMappings": [],
      "command": null,
      "image": "matthewabq/twistlock-fargate-auto",
      "name": "twistlock-fargate-task"
    }
  ],
  "family": "twistlock-fargate-task",
  "volumes": [],
  "networkMode": "awsvpc",
  "memory": "512",
  "cpu": "256"
}

    Deploy Fargate task

    1. Deploy the the above sample task definition, following the steps in Embed App-Embedded Defender into Fargate tasks.

    View runtime audits

    Since the container associated with your task automatically executes mkdir and wget in the entrypoint script, simply launch your Fargate task, wait a few minutes, then review the audits in Prisma Cloud Console.
    After a short time has passed, audits appear in Prisma Cloud Console. To review them, go to
    Monitor > Events > App Embedded Audits
    . You should see audits with the following messages:
    DNS resolution of suspicious name yahoo.com
    /bin/mkdir launched from /bin/dash and is explicitly blocked in the runtime rule. Full command: mkdir test

    WAAS for Fargate

    All the capabilities of standard WAAS are available for Fargate tasks. The only difference is that Fargate Defenders run as a reverse proxies to all other containers in the task. As such, when you set up WAAS for Fargate, you must specify the exposed external port where Fargate Defender can listen, and the port (not exposed to the Internet) where your web application listens. WAAS for Fargate forwards the filtered traffic to your application port - unless an attack is detected and you chose
    Prevent
     in your WAAS for Fargate rule.
    For more information on the type of attacks that Prisma Cloud detects and prevents, see Prisma Cloud WAAS.
    To add an application firewall to a Fargate based web container:
    1. Embed the Fargate Defender into your web container’s Fargate task.
      You can utilize the same sample Fargate task with one change: replace image
      matthewabq/twistlock-fargate-auto
       with
      httpd:2.4
      . The
      httpd:2.4
       image is an Apache web container listening on default port 80.
    2. Add a rule to protect your Fargate web container.
      1. Go to
        Defend > Firewalls > WAAS for Fargate
         and click
        Add rule
        .
      2. Enter a rule name and select the desired protections, such as
        SQLiAttack protection
        .
      3. Select
        Alert
         or
        Prevent
        .
      4. Enter a port number for the
        External Port
        , then enter one for the web container
        Application Port
        . Typically this is 80 for HTTP and 443 for HTTPS). For this example, enter 8080 for the
        External Port
         and 80 for the
        Application Port
        .
      5. Enter your Fargate task name Wildcards are allowed, but do NOT include the task version.
      6. Click
        Save
        .
        All traffic to your Fargate web container will now be examined and protected by the embedded Fargate Defender.
    3. Test your Fargate WAAS protected task.
      1. Run your protected web application Fargate task.
        Before launching your Prisma Cloud protected Fargate task, modify the security group’s inbound rules to permit TCP connections on the exposed port (8080) that you entered in the Fargate WAAS rule. This is the external port that allows you to access your web container. The security group’s inbound rules can be modified while the task is running. To disable WAAS protection, disable the WAAS rule, and re-expose the application’s real port by modifying the security group’s inbound rule.
      2. Access your Fargate web container by browsing to the public IP address of your container. Specify the external port as defined in your WAAS rule and security group.
      3. Test SQLi attack protection by running the following curl command:
        curl -o reply.html -H 'Content-Type: application/json' -X POST \
  -d '{"-1+union+all+select+1,group_concat(user,0x3a,file_priv),3,4+from+mysql.user--"}' \
  http://<public ip of fargate container>:8080
        The command should return a
        reply.html
         file that states the request was blocked by Prisma Cloud. There will also be an audit in Prisma Cloud Console at
        Monitor > Events > WAAS for App Embedded
        .

    Jenkins Fargate example

    Passing the Fargate task definition to your Prisma Cloud Console’s API returns the Prisma Cloud protected Fargate task definition. Use this task definition to start Prisma Cloud protected Fargate containers. This example demonstrates using the Jenkins Pipeline build process to:
    • Call the Prisma Cloud Console’s API endpoint for Fargate task creation.
    • Pass the Fargate task definition to the API.
    • Capture the returned Prisma Cloud protected Fargate task definition.
    • Save the Prisma Cloud protected Fargate task definition within the Pipeline’s archive https://<jenkins>/job/<pipeline_name>/<job#>/artifact/tw_fargate.json
    In this example we have placed our simple task fargate.json and Jenkinsfile in a GitHub repository.
    {
  node {

      stage('Clone repository') {
          checkout scm
      }

      stage('Fargate Task call') {
          withCredentials([usernamePassword(credentialsId: 'twistlockDefenderManager', passwordVariable: 'TL_PASS', usernameVariable: 'TL_USER')]) {
              sh 'curl -s -k -u $TL_USER:$TL_PASS https://$TL_CONSOLE/api/v1/defenders/fargate.json?consoleaddr=$TL_CONSOLE -X POST -H "Content-Type:application/json" --data-binary "@fargate.json" | jq . > tw_fargate.json'
              sh 'cat tw_fargate.json'
          }
      }

      stage('Publish Function') {
          archiveArtifacts artifacts: 'tw_fargate.json'}
  }
}
    1. Create an account in Prisma Cloud with the Defender Manager role.
    2. Create a Jenkins username/password credential for this account called
      twistlockDefenderManager
      .
    3. The
      $TL_Console
       Jenkins global variable was defined when the Prisma Cloud Jenkins plugin was installed.
    4. Create a Jenkins Pipeline
      1. Definition:
        Pipeline script from SCM
      2. SCM:
        Git
      3. Repository URL: <path to repository that contains both the Jenkinsfile and fargate.json>
      4. Credentials: <credentials for repository>
      5. Script path:
        Jenkinsfile
      6. Save
    5. Run
      Build Now
    6. The tw_fagate.json file will be within the archive of this build https://<jenkins>/job/<pipeline_name>/<job#>/artifact/tw_fargate.json

    Recommended For You