Deploy Orchestrator Defenders on Amazon ECS
Table of Contents
Prisma Cloud Enterprise Edition
Expand all | Collapse all
-
- Getting started
- System Requirements
- Cluster Context
-
- Defender Types
- Manage your Defenders
- Redeploy Defenders
- Uninstall Defenders
-
- Deploy Orchestrator Defenders on Amazon ECS
- Automatically Install Container Defender in a Cluster
- Deploy Prisma Cloud Defender from the GCP Marketplace
- Deploy Defenders as DaemonSets
- VMware Tanzu Application Service (TAS) Defender
- Deploy Defender on Google Kubernetes Engine (GKE)
- Google Kubernetes Engine (GKE) Autopilot
- Deploy Defender on OpenShift v4
- Deploy Defender with Declarative Object Management
-
- Agentless Scanning Modes
-
- Onboard AWS Accounts for Agentless Scanning
- Configure Agentless Scanning for AWS
- Onboard Azure Accounts for Agentless Scanning
- Configure Agentless Scanning for Azure
- Onboard GCP Accounts for Agentless Scanning
- Configure Agentless Scanning for GCP
- Onboard Oracle Cloud Infrastructure (OCI) Accounts for Agentless Scanning
- Configure Agentless Scanning for Oracle Cloud Infrastructure (OCI)
- Agentless Scanning Results
-
- Rule ordering and pattern matching
- Backup and Restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with Certificates
- Customize terminal output
- Collections
- Tags
- WildFire Settings
- Log Scrubbing
- Permissions by feature
-
- Prisma Cloud Vulnerability Feed
- Scanning Procedure
- Vulnerability Management Policies
- Vulnerability Scan Reports
- Scan Images for Custom Vulnerabilities
- Base images
- Vulnerability Explorer
- CVSS scoring
- CVE Viewer
-
- Configure Registry Scans
- Scan Images in Alibaba Cloud Container Registry
- Scan Images in Amazon Elastic Container Registry (ECR)
- Scan images in Azure Container Registry (ACR)
- Scan Images in Docker Registry v2 (including Docker Hub)
- Scan Images in GitLab Container Registry
- Scan images in Google Artifact Registry
- Scan Images in Google Container Registry (GCR)
- Scan Images in Harbor Registry
- Scan Images in IBM Cloud Container Registry
- Scan Images in JFrog Artifactory Docker Registry
- Scan Images in Sonatype Nexus Registry
- Scan images in OpenShift integrated Docker registry
- Scan Images in CoreOS Quay Registry
- Trigger Registry Scans with Webhooks
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Windows container image scanning
- Serverless Functions Scanning
- VMware Tanzu Blobstore Scanning
- Scan App-Embedded workloads
- Troubleshoot Vulnerability Detection
-
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Malware Scanning
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- OSS license management
-
- Alert Mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts for Security Incident Response
- ServiceNow alerts for Vulnerability Response
- Slack Alerts
- Splunk Alerts
- Webhook alerts
- API
Deploy Orchestrator Defenders on Amazon ECS
This guide shows you how to deploy Prisma Cloud Defenders in an ECS cluster.
The Defender protects your containerized environment according to the policies you set in Prisma Cloud Console.
It runs as a service in your ECS cluster.
The parameters of the service are described in a task definition, and the task definition is written in JSON format.
To automatically deploy an instance of Defender on each node in your cluster, you’ll run the Defender task as a daemon service.
The Defender deployment process consists of the following steps.
- Create worker nodes in your ECS cluster.
- Create a task definition for the Prisma Cloud Defender.
- Create a service of type Daemon to deploy Defender to every node in the cluster.
This deployment guide includes the following steps you need to take in AWS before you deploy the Defender if you haven’t provisioned a cluster.
If you already have an AWS ECS cluster with worker nodes and are familiar with the AWS interface, you can skip directly to creating the Defender task definition.
Before you create the task definition, ensure that the launch configuration for your worker nodes in ECS includes the following actions.
- Run the Amazon ECS-Optimized Amazon Linux 2 AMI.
- Use the ecsInstanceRole IAM role.
- Run the following script for worker nodes to join the cluster and install the Defender.#!/bin/bash echo ECS_CLUSTER=pc-ecs-cluster >> /etc/ecs/ecs.configECS_CLUSTER must match your cluster name. Replace pc_ecs_cluster with the name of the cluster where you create launch configurations and auto-scaling groups to start EC2 instances for Prisma Cloud. Modify your user data scripts accordingly.To better understand clusters, read our cluster context topic.Create your ECS ClusterCreate an empty cluster named pc-ecs-cluster. This is the cluster where you will create launch configurations and auto-scaling groups to start EC2 instances.
- Log into the AWS Management Console.
- Go toServices > Containers > Elastic Container Service.
- ClickCreate Cluster.
- SelectNetworking only, then clickNext Step.
- Enter a cluster name, such as pc-ecs-cluster.
- ClickCreate.
Create a launch configuration for worker nodesCreate a launch configuration named pc-worker-node that:- Runs the Amazon ECS-Optimized Amazon Linux 2 AMI.
- Uses the ecsInstanceRole IAM role.
- Runs a user data script that joins the pc-ecs-cluster and runs the commands required to install Defender.
- Go toServices > Compute > EC2.
- In the left menu, clickAuto Scaling > Launch Configurations.
- ClickCreate Launch Configuration
- InName, enter a name for your launch configuration, such as pc-worker-node.
- In Amazon machine image, selectAmazon ECS-Optimized Amazon Linux 2 AMI.You can get a complete list of per-region Amazon ECS-optimized AMIs from here.
- Choose an instance type, such as t2.medium.
- UnderAdditional configuration:
- InIAM instance profile, select ecsInstanceRole.
- UnderUser data, selectText, and paste the following code snippet:#!/bin/bash echo ECS_CLUSTER=pc-ecs-cluster >> /etc/ecs/ecs.configWhere:
- ECS_CLUSTER must match your cluster name. If you’ve named your cluster something other than pc_ecs_cluster, then modify your user data script accordingly.
(Optional) InIP Address Type, selectAssign a public IP address to every instance.With this option, you can easily SSH to this instance to troubleshoot issues. - UnderSecurity groups:
- SelectSelect an existing security group.
- Selectpc-security-group.
- UnderKey pair (login), select an existing key pair, or create a new key pair so that you can access your instances.
- ClickCreate launch configuration.
Create an auto scaling group for worker nodesLaunch two worker nodes into your cluster.- Go toServices > Compute > EC2.
- In the left menu, clickAuto Scaling > Auto Scaling Groups.
- ClickCreate an Auto Scaling group.
- InChoose launch template or configuration:
- InAuto Scaling group Name, enterpc-worker-autoscaling.
- InLaunch template, clickSwitch to launch configuration.
- Selectpc-worker-node.
- ClickNext.
- UnderConfigure settings:
- InVPC, select your default VPC.
- InSubnet, select a public subnet, such as 172.31.0.0/20.
- ClickNext.
- InConfigure advanced options, accept the defaults, and clickNext.
- InConfigure group size and scaling policies:
- SetDesired capacityto2.
- LeaveMinimum capacityat1.
- SetMaximum capacityto2.
- ClickSkip to review.
- Review the configuration and clickCreate Auto Scaling Group.After the auto scaling group spins up (it will take some time), validate that your cluster has three container instances.
- Go toServices > Containers > Elastic Container Service.
- The count forContainer instancesin your cluster should now be a total of two.
Create a Prisma Cloud Defender task definitionGenerate a task definition for Defender in Prisma Cloud Console.- Log into Prisma Cloud Compute Console.
- Go toManage > Defenders > Deploy > Defenders.
- InDeployment method, selectOrchestrator.
- For orchestrator type, selectECS.
- InSpecify a cluster name, leave the field blank.The Prisma Cloud console automatically retrieves the cluster name from AWS. Only enter a value if you want to override the cluster name assigned in AWS.
- InSpecify ECS task name, leave the field blank.By default, the task name is pc-defender.
- ClickDownloadto download the task definition.
- Log into AWS.
- Go toServices > Containers > Elastic Container Service.
- In the left menu, clickTask Definitions.
- ClickCreate new Task Definition.
- InStep 1: Select launch type compatibility, selectEC2, then clickNext step.
- InStep 2: Configure task and container definitions, scroll to the bottom of the page and clickConfigure via JSON.
- Delete the contents of the window, and replace it with the Prisma Cloud Console task definition you just generated.
- ClickSave.
- (Optional) Change the name of the task definition before creating it. The default name is pc-defender.
- ClickCreate.
Start the Prisma Cloud Defender ServiceCreate the Defender service using the task definition. With Daemon scheduling, ECS schedules one Defender per node.- Go toServices > Containers > Elastic Container Service.
- In the left menu, clickClusters.
- Click on your cluster.
- In theServicestab, clickCreate.
- InStep 1: Configure service:
- ForLaunch type, selectEC2.
- ForTask Definition, selectpc-defender.
- InService Name, enterpc-defender.
- InService Type, selectDaemon.
- ClickNext Step.
- InStep 2: Configure network, accept the defaults, and clickNext step.
- InStep 3: Set Auto Scaling, accept the defaults, and clickNext step.
- InStep 4: Review, clickCreate Service.
- ClickView Service.
- Verify that you have Defenders running on each node in your ECS cluster.
- Go to your Prisma Cloud Console and view the list of Defenders inCompute > Manage > Defenders > Manage. There should be two new Defenders that have been connected for a few minutes, one for each ECS instance in the cluster.