Runtime defense for App-Embedded

App-Embedded Defenders monitor your App-Embedded containers including AWS Fargate tasks to ensure they execute as designed, protecting containers from running suspicious processes or making suspicious network connections.
Policies let you define:
  • Allow process activity. Enables verification of launched processes against policy.
  • Allow networking activity. Enables verification of domain name resolution, and inbound and outbound network connections.
  • Configure custom rules policy. For details refer to Custom runtime rules.
Besides runtime policy, you can also configure the WAAS application firewall to protect front-end Fargate containers.

Securing your App-Embedded containers

To secure App-Embedded containers including Fargate tasks, embed the Prisma Cloud App-Embedded Defender into it. The steps are:
  1. Define your policy in Prisma Cloud Console under
    Defend > Runtime > App-Embedded policy
  2. Embed the App-Embedded Defender into your Container or task definition.
  3. Start the service.

Securing Fargate tasks

The following provides an example for how to secure your AWS Fargate tasks.

Defining your policy

Add runtime protection for your App-Embedded by defining a runtime rule for it in Prisma Cloud Console.
Prisma Cloud ships with a default App-Embedded runtime policy. App-Embedded Defenders dynamically retrieve policies from Console as they are updated. You can embed App-Embedded Defender into a task/container with empty or very simple initial policies, and refine them as needed later.
This procedure demonstrates how to block the
Sample task
(in the next paragraph, from executing a new process and establishing outbound network connections. You will create a new rule that prevents mkdir from running in the container named twistlock-fargate-task, and blocks outbound network requests to If you’ve got your own task, configure the rule to meet your own specific objectives. By default, new rules apply to all images and containers (*), but you can target them to specific images or containers using pattern matching.
  1. Log into Prisma Cloud Console.
  2. Go to
    Defend > Runtime > App Embedded Policy
  3. Click
    Add rule
    1. Enter a rule name.
    2. By default, the rule applies to all images and all containers.
      Target the rule to specific images or containers. A task definition declares the container name in the containerDefinitions→name field.
    3. Click the
    4. Enable
    5. Set
    6. Add to the
      DNS allow list