1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Install
    6. Amazon ECS
    End-of-Life (EoL)

    Amazon ECS

    This guide shows you how to deploy Prisma Cloud in an ECS cluster with a single infrastructure node and two worker nodes. Console runs on the infrastructure node. An instance of Defender runs on each node in the cluster.
    Console is the Prisma Cloud management interface It runs as a service in your ECS cluster. The parameters of the service are described in a task definition, and the task definition is written in JSON format.
    Defender protects your containerized environment according to the policies you set in Prisma Cloud Console It also runs a service in your ECS cluster. To automatically deploy an instance of Defender on each node in your cluster, you’ll run the Defender task as a daemon service.
    The installation described in this article is meant to be highly available. Data is persisted across nodes. If an infrastructure node were to go down, ECS can reschedule the Console service on any healthy node, and Console will continue to have access to its state. To enable this capability, you’ll attach storage that’s accessible from each of your infrastructure nodes, and Amazon Elastic File System (EFS) is an excellent option.
    When you have multiple infrastructure nodes, ECS can schedule Console on any of them. Defenders need a reliable way to connect to Console. A load balancer automatically directs traffic to the node where Console runs, and offers a stable interface that Defenders can use to connect to Console and that operators can use to access its web interface.
    We assume you are deploying Prisma Cloud to the default VPC. If you are not using the default VPC, adjust your settings accordingly.
    This guide assumes you know very little about AWS ECS. As such, it is extremely prescriptive, and includes step for building your cluster. If you are already familiar with AWS ECS and do not need assistance navigating the interface, simply read the section synopsis, which summarizes all key configurations.

    Cluster context

    Prisma Cloud can segment your environment by cluster. For example, you might have three clusters: test, staging, and production. The cluster pivot in Prisma Cloud lets you inspect resources and administer security policy on a per-cluster basis.

    Cluster awareness across the product

    Radar lets you explore your environment cluster-by-cluster. Various scan reports and audits include the relevant cluster name to provide environment context. You can also create stored filters (also known as collections) based on cluster names. Finally, you can scope policy by cluster. Vulnerability and compliance rules for container images and hosts, runtime rules for container images, and trusted images rules can all be scoped by cluster name.

    Determine cluster name

    Defenders in each DaemonSet are responsible for reporting which resources belong to which cluster. When deploying a Defender DaemonSet, Prisma Cloud tries to determine the cluster name through introspection. First, it tries to retrieve the cluster name from the cloud provider. As a fallback, it tries to retrieve the name from the kubeconfig file (the cluster name will be taked from the server field). Finally, you can override these mechanisms by manually specifying a cluster name when deploying your Defender DaemonSet.
    Both the Prisma Cloud UI and twistcli tool accept an option for manually specifying a cluster name. Let Prisma Cloud automatically detect the name for provider-managed clusters. Manually specify names for self-managed clusters, such as those built with kops.
    There are some things to consider when manually naming clusters:
    • If you specify the same name for two or more clusters, they’re treated as a single cluster.
    • For GCP, if you have clusters with the same name in different projects, they’re treated as a single cluster. Consider manually specifying a different name for each cluster.
    • Manually specifying names isn’t supported in
      Manage > Defenders > Manage > DaemonSet
      . This page lets you deploy and manage DaemonSets directly from the Prisma Cloud UI. For this deployment flow, cluster names are retrieved from the cloud provider or the supplied kubeconfig only.
    If you wish to change the cluster name determined by Prisma Cloud Compute, or the name you manually set for the cluster, you must redeploy the Defenders DaemonSet and specify the new name. Notice that after changing the name, historical records for audits and incidents, will keep the cluster name from their creation time. The new cluster name will only apply for future records. Also, if you already created collections using the old cluster name, these need to be manually updated with the new name.

    Download the Prisma Cloud software

    The Prisma Cloud release tarball contains all the release artifacts.
    1. Download the latest recommended release.
    2. Retrieve the release tarball.
      $ wget <LINK_TO_CURRENT_RECOMMENDED_RELEASE_LINK>
    3. Unpack the Prisma Cloud release tarball.
      $ mkdir twistlock
$ tar xvzf prisma_cloud_compute_edition_<VERSION>.tar.gz  -C twistlock/

    Create a cluster

    Create an empty cluster named pc-ecs-cluster. Later, you will create launch configurations and auto-scaling groups to start EC2 instances in the cluster.
    1. Log into the AWS Management Console.
    2. Go to
      Services > Containers > Elastic Container Service
      .
    3. Click
      Create Cluster
      .
    4. Select
      Networking only
      , then click
      Next Step
      .
    5. Enter a cluster name, such as
      pc-ecs-cluster
      .
    6. Click
      Create
      .

    Create a security group

    Create a new security group named pc-security-group that opens the following ports. This security group will be associated with resources in your cluster.
    Port
    Description
    8083
    Prisma Cloud Console’s UI and API.
    8084
    Prisma Cloud secure websocket for Console-Defender communication.
    2049
    NFS for Prisma Cloud Console to access its state.
    22
    SSH for managing nodes.
    You can harden this configuration as required. For example, you might want to limit access to port 22 to specific source IPs.
    1. Go to
      Services > Compute > EC2
      .
    2. In the left menu, click
      NETWORK & SECURITY > Security Groups
      .
    3. Click
      Create Security Group
      .
    4. In
      Security group name
      , enter a name, such as
      pc-security-group
      .
    5. In
      Description
      , enter
      Prisma Cloud ports
      .
    6. In
      VPC
      , select your default VPC.
    7. Under the
      Inbound rules
       section, click
      Add Rule
      .
      1. Under
        Type
        , select
        Custom TCP
        .
      2. Under
        Port Range
        , enter
        8083-8084
        .
      3. Under
        Source
        , select
        Anywhere
        .
    8. Click
      Add Rule
      .
      1. Under
        Type
        , select
        NFS
        .
      2. Under
        Source
        , select
        Anywhere
        .
    9. Click
      Add Rule
      .
      1. Under
        Type
        , select
        SSH
        .
      2. Under
        Source
        , select
        Anywhere
        .
    10. Click
      Create security group
      .

    Create an EFS file system for Console