App-Embedded Defender for Fargate
App-Embedded Defenders for Fargate monitor your tasks to ensure they execute as designed, protecting tasks from suspicious processes and outbound network connections.
App-Embedded Defender policies let you define:
- Process allow or deny lists. Enables verification of launched processes against policy.
- Outgoing connections allow or deny lists. Enables verification of domain name resolution against policy for outgoing network connections.
Besides runtime policy, you can also configure the WAAS application firewall to protect front-end Fargate tasks.
When you embed the App-Embedded Defender into your Fargate task, Prisma Cloud modifies the task definition. The updated task definition includes a Prisma Cloud sidecar container. The sidecar container handles all communication with Console, including retrieving policies and sending audits. It also hosts the App-Embedded Defender binaries, which are shared with the task’s other containers through a shared volume. The embed process modifies each containerDefinition to:
- Mount the Prisma Cloud sidecar container’s shared volume to gain access to the App-Embedded Defender binaries.
- Start the original entrypoint command under the control of App-Embedded Defender.
App-Embedded Defenders do not communicate directly with Console. All communication is proxied through the Prisma Cloud sidecar container. The following diagram illustrates the setup:
WAAS for Fargate
All the capabilities of standard WAAS are available for Fargate tasks. The only difference is that Fargate Defenders run as a reverse proxies to all other containers in the task. As such, when you set up WAAS for Fargate, you must specify the exposed external port where Fargate Defender can listen, and the port (not exposed to the Internet) where your web application listens. WAAS for Fargate forwards the filtered traffic to your application port - unless an attack is detected and you chose
Preventin your WAAS for Fargate rule.
For more information on the type of attacks that Prisma Cloud detects and prevents, see Prisma Cloud WAAS.
Securing Fargate tasks
To secure a Fargate task, embed the Prisma Cloud Fargate Defender into it. The steps are:
- Define your policy in Prisma Cloud Console. By default, there are no rules in the App-Embedded runtime policy. App-Embedded Defenders dynamically retrieve policies from Console as they are updated. You can embed the App-Embedded Defender into a task with very simple initial policies, then refine them later as needed.
- Embed the Fargate Defender into your task definition.
- Start the service.
When securing Fargate tasks with runtime rules and WAAS, target rules to tasks using the
Scopefields. For runtime, scope rules by image and container name. Policy is applied per-container in the task.
For WAAS, scope rules by App ID. Policy is applied per-task. The WAAS firewall listens on a specific port, and since all containers run in the same network n