Fargate scanning

AWS Fargate is a serverless compute engine for containers under Amazon ECS that lets you run containers without needing to provision and manage servers and hosts. Each container is defined as part of a task and several containers can be run as part of the same task.
Prisma Cloud can scan Fargate tasks for compliance issues. To see the scan report for your Fargate task images, go to
Monitor > Compliance > Images > Deployed
and filter the table with
Fargate:Select
.
Prisma Cloud Compute labels all containers running within the same task as if they run on the same host. For containers that are running in Fargate, the Host column will contain the Fargate task identifier.

Create compliance rules for Fargate tasks

Create a compliance rule for Fargate tasks in scope.
  1. Login to the Console.
  2. Go to
    Defend > Compliance > Containers and images > Deployed
    .
  3. Click
    Add rule
    .
  4. Enter a rule name.
  5. Click on
    Scope
    to select a relevant collection, or create a new collection for your Fatgate tasks:
    1. Click
      Add collection
      .
    2. Enter collection name.
    3. In the host you can type the name of the required Fargate task name or postfix wildcards.
    4. Click
      Save
      .
    5. Select the new Fargate task collection.
    6. Click
      Select collection
      .
  6. Click
    Save
    .
    The block action doesn’t apply to Fargate tasks.

Compliance check details

The following checks are supported for Fargate tasks:
  • 424: Sensitive information provided in environment variables
    --
    Checks if images contain sensitive information in their environment variables.
  • 425: Private keys stored in image
    --
    Searches for private keys stored in an image or serverless function.
  • 426: Image contains binaries used for crypto mining
    --
    Detects when there are crypto miners in an image. Attackers have been quietly poisoning registries and injecting crypto mining tools into otherwise legitimate images.
  • 448: Package binaries should not be altered
    --
    Checks the integrity of package binaries in an image. During an image scan, every binary’s checksum is compared with its package info.
  • Custom compliance
    --
    Custom checks capability works only for tasks that allows users with
    root
    privileges. Custom image checks give you a way to write and run your own compliance checks to assess, measure, and enforce security baselines in your environment. For more information, see Custom compliance checks.

Deploy Fargate task

Deploy the fargate-vulnerability-compliance-task Fargate task (described below), following the steps in Embed App-Embedded Defender into Fargate tasks.

Example task definition

You can use the following task definition to test Prisma Cloud’s App-Embedded Defender. The task deploys a ubuntu:18.04 container and runs the /bin/sh -c 'cp /bin/sleep /tmp/xmrig command that triggers the
Image contains binaries used for crypto mining
compliance check.
{ "containerDefinitions": [ { "command": [ "/bin/sh -c 'cp /bin/sleep /tmp/xmrig && echo \"[+] Sleeping...\" && while true; do sleep 1000 ; done'" ], "entryPoint": [ "sh", "-c" ], "essential": true, "image": "ubuntu:18.04", "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group" : "/ecs/fargate-task-definition", "awslogs-region": "us-east-1", "awslogs-stream-prefix": "ecs" } }, "name": "Fargate-vul-comp-test", "portMappings": [ { "containerPort": 80, "hostPort": 80, "protocol": "tcp" } ] } ], "cpu": "256", "executionRoleArn": "arn:aws:iam::012345678910:role/ecsTaskExecutionRole", "family": "fargate-vulnerability-compliance-task", "memory": "512", "networkMode": "awsvpc", "requiresCompatibilities": [ "FARGATE" ] }
Code copied to clipboard
Unable to copy due to lack of browser support.

View compliance scan results

  1. Navigate to
    Monitor > Compliance > Images > Deployed
    and validate that the deployed image appears with an alerted compliance check.
  2. To see all images that are related to Fargate tasks, filter the image table by adding the
    Fargate:Select
    filter.
    You can also filter the results by a specific task name or postfix wildcards. For example: fargate-task OR fargate-task*. Use the
    Hosts:
    filter to filter the table specifically by hosts.
  3. Search for the fargate-vulnerability-compliance-task Fargate task.
  4. Click on the image to view image details:
    1. The associated vulnerabilities will appear under the Vulnerabilities tab
    2. Under the Compliance tab, see the following compliance issue:
      Image contains binaries used for crypto mining
    3. See the related fargate tasks under the
      Environment > Fargate Tasks
      tab.
      the Host column represents the number of hosts and Fargate tasks that this image is associated with.
      Runtime, Layers, Processes info and Labels tabs are not supported for images scanning by Fargate defenders.

Recommended For You