Scan Fargate tasks
AWS Fargate is a serverless compute engine for containers under Amazon ECS that lets you run containers without needing to provision and manage servers and hosts.
Each container is defined as part of a task and several containers can be run as part of the same task.
Prisma Cloud can scan your Fargate tasks for image vulnerabilities.
To see the scan report for your Fargate task images, go to
Monitor > Vulnerabilities > Images
and filter the table with Fargate:Select
.Prisma Cloud Compute labels all containers running within the same task as if they run on the same host.
For containers that are running in Fargate, the Host column will contain the Fargate task identifier.
Create vulnerability rules to scan Fargate tasks
Create a vulnerability rule for Fargate tasks in scope.
- Login to the Console.
- Go toDefend > Vulnerabilities > Images > Deployed.
- ClickAdd rule.
- Entar a rule name.
- Click onScope, to select a relevant collection, or create a new one for your Fatgate tasks:
- ClickAdd collection.
- Enter collection name.
- In the host you can type the name of the required Fargate task name or postfix wildcards.For example fargate, fargate-vulnerability-compliance-task.
- ClickSave.
- Select the new fargate task collection.
- ClickSelect collection.
- ClickSave.Block action doesn’t apply to Fargate tasks.
Deploy Fargate task
Deploy the fargate-vulnerability-compliance-task fargate tesk (described below), following the steps in Embed App-Embedded Defender into Fargate tasks.
Example Fargate task
You can use the following task definition to test Prisma Cloud’s Fargate Defender.
The task deploys a ubuntu:18.04 container and runs the /bin/sh -c 'cp /bin/sleep /tmp/xmrig command that triggers the "Image contains binaries used for crypto mining" compliance check.
{ "containerDefinitions": [ { "command": [ "/bin/sh -c 'cp /bin/sleep /tmp/xmrig && echo \"[+] Sleeping...\" && while true; do sleep 1000 ; done'" ], "entryPoint": [ "sh", "-c" ], "essential": true, "image": "ubuntu:18.04", "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group" : "/ecs/fargate-task-definition", "awslogs-region": "us-east-1", "awslogs-stream-prefix": "ecs" } }, "name": "Fargate-vul-comp-test", "portMappings": [ { "containerPort": 80, "hostPort": 80, "protocol": "tcp" } ] } ], "cpu": "256", "executionRoleArn": "arn:aws:iam::012345678910:role/ecsTaskExecutionRole", "family": "fargate-vulnerability-compliance-task", "memory": "512", "networkMode": "awsvpc", "requiresCompatibilities": [ "FARGATE" ] }
View vulnerability scan results
View the scan results in Console.
If a Fargate task is run with a container where the user is not root, the vulnerability and compliance scanning procedure will encounter permission denied errors that are not visible to the user unless the Defender logs are downloaded.
The scan flow continues even though errors are encountered.
- Navigate toMonitor > Vulnerabilities > Images > Deployedand validate that the deployed image appears and contains vulnerabilities.
- To see all images that are related to Fargate tasks, filter the image table by adding theFargate:Selectfilter. You can also filter the results by a specific task name or postfix wildcards, example: fargate-task OR fargate-task*. Use theHosts:filter to filter the table specifically by hosts.
- Search for the fargate-vulnerability-compliance-task Fargate task.
- Click on the image to view image details.
- The associated vulnerabilities will appear under the Vulnerabilities tab
- Under the Compliance tab, see the following compliance issue: Image contains binaries used for crypto mining
- See the related Fargate tasks under theEnvironment > Fargate Taskstabthe Host column represents the number of hosts and Fargate tasks that this image is associated with.Runtime, Layers, Processes info and Labels tabs are not supported for images scanning by Fargate defenders.
