Amazon ECS

Upgrade Prisma Cloud running on Amazon ECS.
First upgrade Console. Console will then automatically upgrade all deployed Defenders for you. If you’ve disabled Defender auto-upgrade or if Console fails to upgrade one or more Defenders, manually upgrade your Defenders.
Console automatically upgrades most Defender types for you. If Console fails to upgrade one or more Defenders, you will see error messages in the
Manage > Defenders > Manage
tab. If you’ve created an alert for Defender health events, Console emits a message on the alert channel for any Defender that it fails to upgrade.

Upgrade Console

To upgrade Console, update the service with a new task definition that points to the latest image.
This procedure assumes you’re using images from Prisma Cloud’s registry. If you’re using your own private registry, push the latest Console image there first.

Copy the Prisma Cloud config file into place

  1. Download the latest recommended release to your local machine.
    $ wget <LINK_TO_CURRENT_RECOMMENDED_RELEASE_LINK>
    Code copied to clipboard
    Unable to copy due to lack of browser support.
  2. Unpack the Prisma Cloud release tarball.
    $ mkdir twistlock $ tar xvzf twistlock_<VERSION>.tar.gz -C twistlock/
    Code copied to clipboard
    Unable to copy due to lack of browser support.
  3. Upload the twistlock.cfg files to the host that runs Console.
    $ scp twistlock.cfg <ECS_INFRA_NODE>:/twistlock_console/var/lib/twistlock-config
    Code copied to clipboard
    Unable to copy due to lack of browser support.

Create a new revision of the task definition

Create a new revision of the task definition.
  1. Log into the Amazon ECS console.
  2. In the left menu, click
    Task Definitions
    .
  3. Check the box for the Prisma Cloud Console task definition, and click
    Create new revision
    .
  4. Scroll to the bottom of the page and click
    Configure via JSON
    .
    1. Update the image field to point to the latest Console image.
      For example, if you were upgrading from Prisma Cloud version 2.4.88 to 2.4.95, simply change the version string in the image tag.
      "image": "registry-auth.twistlock.com/tw_<accesstoken>/twistlock/console:console_2_4_95"
      Code copied to clipboard
      Unable to copy due to lack of browser support.
    2. Click
      Save
      .
  5. Click
    Create
    .

Update the Console service

Update the Console service.
  1. In the left menu of the Amazon ECS console, click
    Clusters
    .
  2. Click on your cluster.
  3. Select the
    Services
    tab.
  4. Check the box next the Console service, and click
    Update
    .
  5. In
    Task Definition
    , select the version of the task definition that points to the latest Console image.
  6. Validate that
    Cluster
    ,
    Service name
    , and
    Number of tasks
    are correct. These values are set based on the values for the currently running task, so the defaults should be correct. The number of tasks must be 1.
  7. Set
    Minimum healthy percent
    to
    0
    .
    This lets ECS safely stop the single Console container so that it can start an updated Console container.
  8. Set
    Maximum percent
    to
    100
    .
  9. Click
    Next
    .
  10. In the
    Configure network
    page, accept the defaults, and click
    Next
    .
  11. In the
    Set Auto Scaling
    page, accept the defaults, and click
    Next
    .
  12. Click
    Update Service
    .
    It takes a few moments for the old Console service to be stopped, and for the new service to be started. Open Console, and validate that the UI shows new version number in the bottom left corner.
  13. Go to
    Manage > Defenders > Manage
    and validate that Console has upgraded your Defenders.
    If Console fails to upgrade any Defender, upgrade it manually.

Recommended For You