1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Administrator’s Guide (Compute)
    5. Install
    6. Amazon ECS

    Amazon ECS

    This guide shows you how to deploy Prisma Cloud Defenders in an ECS cluster.
    Defender protects your containerized environment according to the policies you set in Prisma Cloud Console. It runs as a service in your ECS cluster. The parameters of the service are described in a task definition, and the task definition is written in JSON format. To automatically deploy an instance of Defender on each node in your cluster, you’ll run the Defender task as a daemon service.
    This guide assumes you know very little about AWS ECS. As such, it is extremely prescriptive, and includes step for building your cluster. If you are already familiar with AWS ECS and do not need assistance navigating the interface, simply read the section synopsis, which summarizes all key configurations. To better understand clusters, read our cluster context topic.

    Create a cluster

    Create an empty cluster named pc-ecs-cluster. Later, you will create launch configurations and auto-scaling groups to start EC2 instances in the cluster.
    1. Log into the AWS Management Console.
    2. Go to
      Services > Containers > Elastic Container Service
      .
    3. Click
      Create Cluster
      .
    4. Select
      Networking only
      , then click
      Next Step
      .
    5. Enter a cluster name, such as
      pc-ecs-cluster
      .
    6. Click
      Create
      .

    Deploy Defender

    Create worker nodes in your ECS cluster, create a task definition for the Prisma Cloud Defender, and then create a service of type Daemon to deploy Defender to every node in the cluster.
    If you already have worker nodes in your cluster, skip directly to creating the Defender task definition.

    Create a launch configuration for worker nodes

    Create a launch configuration named pc-worker-node that:
    • Runs the Amazon ECS-Optimized Amazon Linux 2 AMI.
    • Uses the ecsInstanceRole IAM role.
    • Runs a user data script that joins the pc-ecs-cluster and runs the commands required to install Defender.
    1. Go to
      Services > Compute > EC2
      .
    2. In the left menu, click
      Auto Scaling > Launch Configurations
      .
    3. Click
      Create Launch Configuration
    4. In
      Name
      , enter a name for your launch configuration, such as
      pc-worker-node
      .
    5. In Amazon machine image, select
      Amazon ECS-Optimized Amazon Linux 2 AMI
      .
      You can get a complete list of per-region Amazon ECS-optimized AMIs from here.
    6. Choose an instance type, such as
      t2.medium
      .
    7. Under
      Additional configuration
      :
      1. In
        IAM instance profile
        , select
        ecsInstanceRole
        .
      2. Under
        User data
        , select
        Text
        , and paste the following code snippet:
        #!/bin/bash
echo ECS_CLUSTER=pc-ecs-cluster >> /etc/ecs/ecs.config
        Where:
        • ECS_CLUSTER must match your cluster name. If you’ve named your cluster something other than pc_ecs_cluster, then modify your user data script accordingly.
      3. (Optional) In
        IP Address Type
        , select
        Assign a public IP address to every instance
        .
        With this option, you can easily SSH to this instance to troubleshoot issues.
    8. Under
      Security groups
      :
      1. Select
        Select an existing security group
        .
      2. Select
        pc-security-group
        .
    9. Under
      Key pair (login)
      , select an existing key pair, or create a new key pair so that you can access your instances.
    10. Click
      Create launch configuration
      .

    Create an auto scaling group for worker nodes

    Launch two worker nodes into your cluster.
    1. Go to
      Services > Compute > EC2
      .
    2. In the left menu, click
      Auto Scaling > Auto Scaling Groups
      .
    3. Click
      Create an Auto Scaling group
      .
    4. In
      Choose launch template or configuration
      :
      1. In
        Auto Scaling group Name
        , enter
        pc-worker-autoscaling
        .
      2. In
        Launch template
        , click
        Switch to launch configuration
        .
      3. Select
        pc-worker-node
        .
      4. Click
        Next
        .
    5. Under
      Configure settings
      :
      1. In
        VPC
        , select your default VPC.
      2. In
        Subnet
        , select a public subnet, such as 172.31.0.0/20.
      3. Click
        Next
        .
    6. In
      Configure advanced options
      , accept the defaults, and click
      Next
      .
    7. In
      Configure group size and scaling policies
      :
      1. Set
        Desired capacity
         to
        2
        .
      2. Leave
        Minimum capacity
         at
        1
        .
      3. Set
        Maximum capacity
         to
        2
        .
      4. Click
        Skip to review
        .
    8. Review the configuration and click
      Create Auto Scaling Group
      .
      After the auto scaling group spins up (it will take some time), validate that your cluster has three container instances.
      1. Go to
        Services > Containers > Elastic Container Service
        .
      2. The count for
        Container instances
         in your cluster should now be a total of two.

    Create a Prisma Cloud Defender task definition

    Generate a task definition for Defender in Prisma Cloud Console.
    1. Log into Prisma Cloud Compute Console.
    2. Go to
      Manage > Defenders > Deploy > Defenders
      .
    3. In
      Deployment method
      , select
      Orchestrator
      .
    4. For orchestrator type, select
      ECS
      .
    5. In
      Specify a cluster name
      , leave the field blank.
      Console will automatically retrieve the cluster name from AWS. Only enter a value if you want to override the cluster name assigned in AWS.
    6. In
      Specify ECS task name
      , leave the field blank.
      By default, the task name is
      pc-defender
      .
    7. Click
      Download
       to download the task definition.
    8. Log into AWS.
    9. Go to
      Services > Containers > Elastic Container Service
      .
    10. In the left menu, click
      Task Definitions
      .
    11. Click
      Create new Task Definition
      .
    12. In
      Step 1: Select launch type compatibility
      , select
      EC2
      , then click
      Next step
      .
    13. In
      Step 2: Configure task and container definitions
      , scroll to the bottom of the page and click
      Configure via JSON
      .