Amazon ECS

This quickstart guide shows you how to deploy Prisma Cloud defenders on a simple cluster that has two worker nodes.
Defender protects your containerized environment according to the policies you set in Prisma Cloud Console.
To automatically deploy an instance of Defender on each worker node in your cluster, you will use a user data script in the worker node launch configuration. User data scripts run custom configuration commands when a new instance is started. You will set up the user data script to call the Prisma Cloud API to download, install, and start Defender.
This guide assumes you know very little about AWS ECS. As such, it is extremely prescriptive. If you are already familiar with AWS ECS and do not need assistance navigating the interface, simply read the section synopsis, which summarizes all key configurations.
We assume you are deploying Prisma Cloud to the default VPC. If you are not using the default VPC, adjust your settings accordingly.

Key details

There are a number of AWS resource identifiers and other details that are used throughout the install procedure. You should create a list of the following details for easy retrieval during the installation process.
Cluster name
: retain this after creating the ECS cluster. Default value:
pc-ecs-cluster
.
Security group name
: retain this after creating the security group. Default value:
pc-security-group
.
Mount command for defender EFS
: retain this after creating an EFS for the defender.
Console
: retain this when instructed how to retrieve the Console API address.
Token
: retain this when instructed how to retrieve the authentication API token.
installBundle
: retain this when instructed how to retrieve the installBundle.
Access Token
: Access token for Prisma Cloud.
Version
: The version of Prisma Cloud you are currently using, for example 20_04_169

Create a cluster

Create an empty cluster named
pc-ecs-cluster
. Later, you will create launch configurations and auto-scaling groups to start EC2 instances in the cluster.
  1. Log into the AWS Management Console.
  2. Go to
    Services > Containers > Elastic Container Service
    .
  3. Click
    Create Cluster
    .
  4. Select
    EC2 Linux + Networking
    , then click
    Next Step
    .
  5. Enter a cluster name, such as
    pc-ecs-cluster
    .
  6. Select
    Create an empty cluster
    .
  7. Click
    Create
    .

Create a security group

Create a new security group named
pc-security-group
that opens port 8084. This security group will be associated with the EC2 instances started in your cluster.
Defender and Console communicate over a secure web socket on port 8084.
Inbound connection to port 2049 is required to setup the NFS.
Open port 22 so that you can SSH to any machine in the cluster.
Additional hardening can be performed as desired for the below roles. for example, limiting access to port 22 only to IPs from which you are planned to connect to your instances via SSH.
  1. Go to
    Services > Compute > EC2
    .
  2. In the left menu, click
    NETWORK & SECURITY > Security Groups
    .
  3. Click
    Create Security Group
    .
  4. In
    Security group name
    , enter a name, such as
    pc-security-group
    .
  5. In
    Description
    , enter
    Prisma Cloud ports
    .
  6. In
    VPC
    , select your default VPC.
  7. Under the
    Inbound rules
    section, click
    Add Rule
    .
    1. Under
      Type
      , select
      Custom TCP
      .
    2. Under
      Port Range
      , enter
      2049
      .
    3. Under
      Source
      , select
      Anywhere
      .
  8. Under the
    Inbound rules
    section, Click
    Add Rule
    .
    1. Under
      Type
      , select
      SSH
      .
    2. Under
      Source
      , select
      Anywhere
      .
  9. Click
    Create
    .

Create EFS file system for Defender

Create the Defender EFS file system, then capture the mount command that will be used to mount the file system on every worker node.
The EFS file system and ECS cluster must be in the same VPC and security group.
  1. Log into the AWS Management Console.
  2. Go to
    Services > Storage > EFS
    .
  3. Click
    Create File System
    .
  4. Select a VPC, select the
    pc-security-group
    for each mount target, then click
    Next Step
    .
  5. Enter a value for Name, such as
    pc-efs-defender
    , then click
    Next Step
    .
  6. For
    Configure client access
    , keep the default settings and click
    Next Step
    .
  7. Review your settings and select
    Create file system
    .
  8. Click on the
    Amazon EC2 mount instructions (from local VPC)
    link and copy the mount command (Using the NFS client) and set it aside as the Defender mount command.
    You will use this mount command to configure your launch configuration for the Defenders.

Deploy Defender

Launch an infrastructure node that runs in the cluster
You are now ready to deploy your worker nodes. You will create worker nodes that runs in the cluster, an ECS Task Definition for the Prisma Cloud Defender, then create a service of type Daemon to ensure that the Defender is deployed across your ECS cluster.

Copy Defender’s certificates into place

Get the certificates Defender requires to securely connect to Console, and then copy them to the EFS partition that worker nodes will mount.
  1. Retrieve Console’s API address (CONSOLE):
    1. Sign into Prisma Cloud.
    2. Go to Compute > Manage > System > Downloads.
    3. Copy and retain the URL under Path to Console
  2. Retrieve API access token
    1. Sign into Prisma Cloud.
    2. Go to Compute > Manage > Authentication > User Certificates.
    3. Copy and retain the API token
  3. Mount the Defender EFS file system temporarily on a system of your choosing. Use the mount command you saved when you created your EFS file system replacing the /eft target provided in the sample mount command with /twistlock_certificates
  4. Retrieve the service parameter from the Prisma Cloud API.
    $ curl -k -s \ -H 'Content-Type: application/json' \ -H 'Authorization: Bearer <token>' \ -X GET \ https://<Console>/api/v1/certs/service-parameter \ -o service-parameter
    • replace <Console> with the retrieved console address.
    • replace <token> with the retrieve API token.
  5. Retrieve the server certificates bundle from the Prisma Cloud API, and extract the bundle to files:
    $ curl -k \ -H 'Authorization: Bearer <token>' \ -X GET \ https://<Console>/api/v1/certs/server-certs.sh | sh
    • replace <console> with the retrieved console address.
    • replace <token> with the retrieve API token.
  6. ensure the jq package is installed.
  7. Retrieve and retain the installBundle from the Prisma Cloud API:
    $ curl -k \ -H 'Content-Type: application/json' \ -H 'Authorization: Bearer <token>' \ -X GET \ <Console>/api/v1/defenders/install-bundle?consoleaddr=<Console> | jq -r '.installBundle'
    • replace <console> with the retrieved console address.
    • replace <token> with the retrieve API token.
  8. Copy the following files to the Defender EFS file system under /twistlock_certificates:
    • service-parameter
    • ca.pem
    • client-cert.pem
    • client-key.pem
  9. Set the ownership and permissions for each file under /twistlock_certificates.
    $ sudo chown root:root ca.pem client-cert.pem client-key.pem service-parameter $ sudo chmod 600 ca.pem client-cert.pem client-key.pem service-parameter

Create a launch configuration for worker nodes

Create a launch configuration named
pc-worker-node
that:
  • Runs the Amazon ECS-Optimized Amazon Linux 2 AMI.
  • Uses the ecsInstanceRole IAM role.
  • Runs a user data script that joins the pc-ecs-cluster and runs the commands required to install Defender.
  1. Go to
    Services > Compute > EC2
    .
  2. In the left menu, click
    AUTO SCALING > Launch Configurations
    .
  3. Click
    Create Launch Configuration
  4. Choose an AMI:
    1. Click
      AWS Marketplace
      .
    2. In the search box, enter
      Amazon ECS-Optimized Amazon Linux 2 AMI
      .
    3. Click
      Select
      for
      Amazon ECS-Optimized Amazon Linux 2 AMI
      .
  5. Choose an instance type.
    1. Select
      t2.medium
      .
    2. Click
      Next: Configure details
      .
  6. Configure details.
    1. In
      Name
      , enter a name for your launch configuration, such as
      pc-worker-node
      .
    2. In
      IAM
      role, select
      ecsInstanceRole
      .
    3. Select
      Enable CloudWatch detailed monitoring
      .
    4. Expand
      Advanced Details
      ,
    5. In
      User Data
      , enter the following text:
      #!/bin/bash echo ECS_CLUSTER=pc-ecs-cluster >> /etc/ecs/ecs.config yum install -y nfs-utils mkdir /twistlock_certificates chown root:root /twistlock_certificates chmod 700 /twistlock_certificates <DEFENDER_MOUNT_COMMAND> /twistlock_certificates
      Where:
      • ECS_CLUSTER
        must match your cluster name. If you’ve named your cluster something other than
        pc_ecs_cluster
        , then modify your User Data script accordingly.
      • <DEFENDER_MOUNT_COMMAND>
        is the mount command you copied from the AWS Management Console after creating your Defender EFS file system. The mount target must be
        /twistlock_certificates
        , replacing the
        efs
        mount target provided in the sample mount command.
    6. (Optional) Under
      IP Address Type
      , select
      Assign a public IP address to every instance
      .
      With this option, you can easily SSH to any worker nodes instances and troubleshoot issues.
    7. Click
      Next: Add Storage
      .
  7. Add Storage.
    • Accept the defaults, and click
      Next: Configure Security Group
      .
  8. Configure security group.
    1. Under
      Assign a security group
      , choose
      Select an existing security group
      .
    2. Select
      pc-security-group
      .
    3. Click
      Review
      .
  9. Review.
    • Review the configuration and select
      Create launch configuration
      .
  10. Select an existing key pair, or create a new key pair so that you can access your instance.

Create an auto scaling group for the worker nodes

Launch two worker nodes into your cluster.
  1. Go to
    Services > Compute > EC2
    .
  2. In the left menu, click
    AUTO SCALING > Auto Scaling Groups
    .
  3. Click
    Create Auto Scaling group
    :
    1. Select
      Launch Configuration
    2. Select
      pc-worker-node
      .
    3. Click
      Next Step
      .
  4. Configure Auto Scaling group details:
    1. In
      Group Name
      , enter pc-worker-autoscaling.
    2. Set
      Group size
      to
      2
      .
    3. Under
      Network
      , select your default VPC.
    4. Under
      Subnet
      , select a public subnet, such as 172.31.0.0/20.
    5. Click
      Next: Configure scaling policies
      .
  5. Configure scaling policies.
    1. Select
      Keep this group at its initial size
      .
    2. Click
      Next: Configure Notifications
      .
  6. Configure Notifications.
    1. Click
      Next: Configure Tags
      .
  7. Configure Tags.
    1. Under
      Key
      , enter
      Name
      .
    2. Under
      Value
      , enter
      pc-worker-node
      .
    3. Click
      Review
      .
  8. Review the configuration and click
    Create Auto Scaling Group
    .
  9. After the auto scaling group spins up (it will take some time), validate that your cluster has two container instances.
    1. Go to
      Services > Containers > Elastic Container Service
      .
    2. The count for
      Container instances
      in your cluster should now be a total of two.

Create a Prisma Cloud Defender task definition

Prisma Cloud provides a task definition template for Defender. Download the template, then update the variables specific to your environment. Finally, load the task definition in ECS.
  1. Update the value for
    image
    to point to Prisma Cloud’s cloud registry:
    Replace the following placeholder strings with the appropriate values:
    • <ACCESS-TOKEN>
       — Your Prisma Cloud access token. All characters must be lowercase. To convert your access token to lowercase, run:
      $ echo <ACCESS-TOKEN> | tr '[:upper:]' '[:lower:]'
    • <VERSION>
       — Version of the Console image to retrieve and install. For example,
      19_03_321
      .
    • <cloud-console>
       — The URL retrieved for your Console (without the virual directory). The final wss value would look similar to wss://us-west1.cloud.twistlock.com/us-0-123456789
    • <INSTALL-BUNDLE>
       — Output from the installBundle endpoint.
  2. Go to
    Services > Containers > Elastic Container Service
    .
  3. In the left menu, click
    Task Definitions
    .
  4. Click
    Create new Task Definition
    .
  5. In
    Step 1: Select launch type compatibility
    , select
    EC2
    , then click
    Next step
    .
  6. In
    Step 2: Configure task and container definitions
    , scroll to the bottom of the page and click
    Configure via JSON
    .
  7. Delete the contents of the window, and replace it with the Prisma Cloud Console task definition
  8. Click
    Save
    .
    1. (Optional) Change the task definition name before creating. The JSON will default the name to
      pc-defender
      .
  9. Click
    Create
    .

Launch the Prisma Cloud Defender service

Create the Defender service using the previously defined task definition. Using Daemon scheduling, one Defender will run per node in your cluster.
  1. Go to
    Services > Containers > Elastic Container Service
    .
  2. In the left menu, click
    Clusters
    .
  3. Click on your cluster.
  4. In the
    Services
    tab, then click
    Create
    .
  5. In
    Step 1: Configure service
    :
    1. For
      Launch type
      , select
      EC2
      .
    2. For
      Task Definition
      , select
      pc-defender
      .
    3. In
      Service Name
      , enter
      pc-defender
      .
    4. In
      Service Type
      , select
      Daemon
      .
    5. Click
      Next Step
      .
  6. In
    Step 2: Configure network
    , accept the defaults, and click
    Next
    .
  7. In
    Step 3: Set Auto Scaling
    , accept the defaults, and click
    Next
    .
  8. In
    Step 4: Review
    , click
    Create Service
    .
  9. Click
    View Service
    .
  10. Verify that you have Defenders running on each node in your ECS cluster.
    Go to your Prisma Cloud Console and view the list of Defenders in
    Manage > Defenders > Manage
    . You should be able to see two new defenders that are connected for a few minutes for two different ECS instances.

Recommended For You