1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Compliance
    6. Fargate scanning
    End-of-Life (EoL)

    Fargate scanning

    AWS Fargate is a serverless compute engine for containers under Amazon ECS that lets you run containers without needing to provision and manage servers and hosts. Each container is defined as part of a task and several containers can be run as part of the same task.
    Prisma Cloud can scan Fargate tasks for compliance issues. To see the scan report for your Fargate task images, go to
    Monitor > Compliance > Images > Deployed
     and filter the table with
    Fargate:Select
    .
    Prisma Cloud Compute labels all containers running within the same task as if they run on the same host. For containers that are running in Fargate, the Host column will contain the Fargate task identifier.

    Create compliance rules for Fargate tasks

    Create a compliance rule for Fargate tasks in scope.
    1. Login to the Console.
    2. Go to
      Defend > Compliance > Containers and images > Deployed
      .
    3. Click
      Add rule
      .
    4. Enter a rule name.
    5. Click on
      Scope
       to select a relevant collection, or create a new collection for your Fatgate tasks:
      1. Click
        Add collection
        .
      2. Enter collection name.
      3. In the host you can type the name of the required Fargate task name or postfix wildcards.
      4. Click
        Save
        .
      5. Select the new Fargate task collection.
      6. Click
        Select collection
        .
    6. Click
      Save
      .
      The block action doesn’t apply to Fargate tasks.

    Compliance check details

    The following checks are supported for Fargate tasks:
    • 424: Sensitive information provided in environment variables
       --
      Checks if images contain sensitive information in their environment variables.
    • 425: Private keys stored in image
       --
      Searches for private keys stored in an image or serverless function.
    • 426: Image contains binaries used for crypto mining
       --
      Detects when there are crypto miners in an image. Attackers have been quietly poisoning registries and injecting crypto mining tools into otherwise legitimate images.
    • 448: Package binaries should not be altered
       --
      Checks the integrity of package binaries in an image. During an image scan, every binary’s checksum is compared with its package info.
    • Custom compliance
       --
      Custom checks capability works only for tasks that allows users with
      root
       privileges. Custom image checks give you a way to write and run your own compliance checks to assess, measure, and enforce security baselines in your environment. For more information, see Custom compliance checks.

    Deploy Fargate task

    Deploy the fargate-vulnerability-compliance-task Fargate task (described below), following the steps in Embed App-Embedded Defender into Fargate tasks.

    Example task definition

    You can use the following task definition to test Prisma Cloud’s App-Embedded Defender. The task deploys a ubuntu:18.04 container and runs the /bin/sh -c 'cp /bin/sleep /tmp/xmrig command that triggers the
    Image contains binaries used for crypto mining
     compliance check.
    {
  "containerDefinitions": [
     {
        "command": [
           "/bin/sh -c 'cp /bin/sleep /tmp/xmrig && echo \"[+] Sleeping...\" && while true; do sleep 1000 ; done'"
        ],
        "entryPoint": [
           "sh",
           "-c"
        ],
        "essential": true,
        "image": "ubuntu:18.04",
        "logConfiguration": {
           "logDriver": "awslogs",
           "options": {
              "awslogs-group" : "/ecs/fargate-task-definition",
              "awslogs-region": "us-east-1",
              "awslogs-stream-prefix": "ecs"
           }
        },
        "name": "Fargate-vul-comp-test",
        "portMappings": [
           {
              "containerPort": 80,
              "hostPort": 80,
              "protocol": "tcp"
           }
        ]
     }
  ],
  "cpu": "256",
  "executionRoleArn": "arn:aws:iam::012345678910:role/ecsTaskExecutionRole",
  "family": "fargate-vulnerability-compliance-task",
  "memory": "512",
  "networkMode": "awsvpc",
  "requiresCompatibilities": [
      "FARGATE"
   ]
}

    View compliance scan results

    1. Navigate to
      Monitor > Compliance > Images > Deployed
       and validate that the deployed image appears with an alerted compliance check.
    2. To see all images that are related to Fargate tasks, filter the image table by adding the
      Fargate:Select
       filter.
      You can also filter the results by a specific task name or postfix wildcards. For example: fargate-task OR fargate-task*. Use the
      Hosts:
       filter to filter the table specifically by hosts.
    3. Search for the fargate-vulnerability-compliance-task Fargate task.
    4. Click on the image to view image details:
      1. The associated vulnerabilities will appear under the Vulnerabilities tab
      2. Under the Compliance tab, see the following compliance issue:
        Image contains binaries used for crypto mining
      3. See the related fargate tasks under the
        Environment > Fargate Tasks
         tab.
        the Host column represents the number of hosts and Fargate tasks that this image is associated with.
        Runtime, Layers, Processes info and Labels tabs are not supported for images scanning by Fargate defenders.