Amazon ECS

This quickstart guide shows you how to deploy Defender in an Amazon ECS cluster. To automatically deploy an instance of Defender on each worker node in your cluster, you will use a user data script in the worker node launch configuration. User data scripts run custom configuration commands when a new instance is started. You will set up the user data script to call the Prisma Cloud API to download, install, and start Defender.

Create a cluster

Create an empty cluster named
tw-ecs-cluster
. Later, you will create launch configurations and auto-scaling groups to start EC2 instance in the cluster.
  1. Log into the AWS Management Console.
  2. Go to
    Services > Compute > Elastic Container Service
    .
  3. Click
    Create Cluster
    .
  4. Select
    EC2 Linux + Networking
    , then click
    Next Step
    .
  5. Enter a cluster name, such as
    tw-ecs-cluster
    .
  6. Select
    Create an empty cluster
    .
  7. Click
    Create
    .

Create a security group

Create a new security group named
tw-security-group
that opens ports 8083 and 8084. In order for Prisma Cloud to operate properly, these ports must be open. This security group will be associated with the EC2 instances started in your cluster.
Console’s web interface and API are served on port 8083. Defender and Console communicate over a secure web socket on port 8084.
Inbound connection to port 2049 is required to setup the NFS.
For debugging purposes, also open port 22 so that you can SSH to any machine in the cluster.
  1. Go to
    Services > Compute > EC2
    .
  2. In the left menu, click
    NETWORK & SECURITY > Security Groups
    .
  3. Click
    Create Security Group
    .
  4. In
    Security group name
    , enter a name, such as
    tw-security-group
    .
  5. In
    Description
    , enter
    Prisma Cloud ports
    .
  6. In
    VPC
    , select your default VPC.
  7. Under the
    Inbound
    tab, click
    Add Rule
    .
    1. Under
      Type
      , select
      Custom TCP
      .
    2. Under
      Port Range
      , enter
      8083-8084
      .
    3. Under
      Source
      , select
      Anywhere
      .
  8. Click
    Add Rule
    .
    1. Under
      Type
      , select
      Custom TCP
      .
    2. Under
      Port Range
      , enter
      2049
      .
    3. Under
      Source
      , select
      Anywhere
      .
  9. Click
    Add Rule
    .
    1. Under
      Type
      , select
      SSH
      .
    2. Under
      Source
      , select
      Anywhere
      .
  10. Click
    Create
    .

Create EFS file system for Defender

Create the Defender EFS file system, copy the
service-parameter
to the file system, then capture the mount command that will be used to mount the file system on every worker node.
The EFS file system and ECS cluster must be in the same VPC and security group.
  1. Log into the AWS Management Console.
  2. Go to
    Services > Storage > EFS
    .
  3. Click
    Create File System
    .
  4. Select a VPC, select the
    tw-security-group
    for each mount target, then click
    Next
    .
  5. Enter a value for Name, such as
    tw-nlb-defender
    , then click
    Next
    .
  6. Review your settings and create the file system.
  7. Click on the
    Amazon EC2 mount instructions (from local VPC)
    link and copy the mount command (Using the NFS client) and set it aside as the Defender mount command.
    You will use this mount command to configure your launch configuration for the Defenders.

Deploy Defender

Deploy your worker nodes. You will create an ECS Task Definition for the Prisma Cloud Defender, then create a service of type Daemon to ensure that the Defender is deployed across your ECS cluster. For this reason, it is imperative that Console be fully operational before worker nodes are instantiated in the cluster.

Copy the service-parameter into place

Download the
service-parameter
from the Console API and copy it to the EFS partition that worker nodes will mount.
  1. Retrieve Console’s API address (CONSOLE).
    1. Sign into Prisma Cloud.
    2. Go to
      Compute > Manage > System > Downloads
      .
    3. Copy the URL under
      Path to Console
      .
  2. Retrieve the service parameter from the Prisma Cloud API.
    $ curl -k \ -u <USER> \ -H 'Content-Type: application/json' \ -X GET \ <CONSOLE>/api/v1/certs/service-parameter \ -o service-parameter
    <CONSOLE> is the address the curl command uses to access Console.
  3. Copy the
    service-parameter
    to the EFS file system.
    1. Mount the Defender EFS file system temporarily on a system of your choosing. Use the mount command you saved when you created your EFS file system.
    2. Copy the following files to the EFS file system:
      • service-parameter
    3. Set the ownership and permissions for each file.
      $ chown root:root service-parameter $ chmod 600 service-parameter
    4. Unmount the EFS file system.
      $ umount <filesystem>

Copy the INSTALL_BUNDLE into place

Copy the INSTALL_BUNDLE into place.
  1. Retrieve the certificate bundle from the Prisma Cloud API, and save it to a file. It’s returned as a base64 string.
    $ curl -k \ -u <USER> \ -H 'Content-Type: application/json' \ -X GET \ <CONSOLE>/api/v1/defenders/install-bundle?consoleaddr=<CONSOLE_CONN> \ | jq -r '.installBundle'
    <CONSOLE_CONN> is the address the Defenders use to connect to the Console. The service address can be derived from the API address by removing the protocol scheme and path. It is simply the host part of the URL. For example: <REGION>.cloud.twistlock.com
  2. Save the
    installBundle
    output, as you will need it later to populate the task definition.

Create a launch configuration for worker nodes

Create a launch configuration named
tw-worker-node
that:
  • Runs the Amazon ECS-Optimized Amazon Linux AMI.
  • Uses the ecsInstanceRole IAM role.
  • Runs a user data script that joins the tw-ecs-cluster and runs the commands required to install Defender.
  1. Go to
    Services > Compute > EC2
    .
  2. In the left menu, click
    AUTO SCALING > Launch Configurations
    .
  3. Click
    Create launch configuration
    .
  4. Choose an AMI.
    1. Click
      AWS Marketplace
      .
    2. In the search box, enter
      ecs
      .
    3. Click
      Select
      for
      Amazon ECS-Optimized Amazon Linux AMI
      .
  5. Choose an instance type.
    1. Select
      t2.medium
      .
    2. Click
      Next: Configure details
      .
  6. Configure details.
    1. In
      Name
      , enter a name for your launch configuration, such as
      tw-worker-node
      .
    2. In
      IAM
      role, select
      ecsInstanceRole
      .
    3. Select
      Monitoring
      .
    4. Expand
      Advanced Details
      ,
    5. In
      User Data
      , enter the following text:
      #!/bin/bash echo ECS_CLUSTER=tw-ecs-cluster >> /etc/ecs/ecs.config yum install -y nfs-utils mkdir /twistlock_certificates chown root:root /twistlock_certificates chmod 700 /twistlock_certificates <DEFENDER_MOUNT_COMMAND> /twistlock_certificates
      Where:
      • ECS_CLUSTER
        must match your cluster name. If you’ve named your cluster something other than
        tw_ecs_cluster
        , then modify your User Data script accordingly.
      • <DEFENDER_MOUNT_COMMAND>
        is the mount command you copied from the AWS Management Console after creating your Defender EFS file system. The mount target must be
        /twistlock_certificates
        , replacing the
        efs
        mount target provided in the sample mount command.
    6. (Optional) Under
      IP Address Type
      , select
      Assign a public IP address to every instance
      .
      With this option, you can easily SSH to any worker node instance and troubleshoot issues.
    7. Click
      Next: Add Storage
      .
  7. Add Storage.
    1. Accept the defaults, and click
      Next: Configure Security Group
      .
  8. Configure security group.
    1. Under
      Assign a security group
      , choose
      Select an existing security group
      .
    2. Select
      tw-security-group
      .
    3. Click
      Review
      .
  9. Review.
    1. Click
      Create launch configuration
      .

Create an auto scaling group for the worker nodes

Launch two worker nodes into your cluster.
  1. Go to
    Services > Compute > EC2
    .
  2. In the left menu, click
    AUTO SCALING > Auto Scaling Groups
    .
  3. Click
    Create Auto Scaling group
    .
  4. Select
    Create an Auto Scaling group from an existing launch configuration
    .
  5. Select
    tw-worker-node
    .
  6. Click
    Next Step
    .
  7. Configure Auto Scaling group details.
    1. In
      Group Name
      , enter tw-worker-autoscaling.
    2. Leave
      Group size
      set to
      2
      .
    3. Under
      Network
      , select your default VPC.
    4. Under
      Subnet
      , select a public subnet, such as 172.31.0.0/20.
    5. Click
      Next: Configure scaling policies
      .
  8. Configure scaling policies.
    1. Select
      Keep this group at its initial size
      .
    2. Click
      Next: Configure Notifications
      .
  9. Configure Notifications.
    1. Click
      Next: Configure Tags
      .
  10. Configure Tags.
    1. Under
      Key
      , enter
      Name
      .
    2. Under
      Value
      , enter
      tw-worker-node
      .
    3. Click
      Review
      .
  11. Click
    Create Auto Scaling Group
    .
    After the auto scaling group spins up (it will take some time), validate that your cluster has two more container instances. Go to
    Services > Compute > Elastic Container Service
    . The count for
    Container instances
    in your cluster should now be a total of three.

Create a Prisma Cloud Defender task definition

Prisma Cloud provides a task definition template for Defender. Download the template, then update the variables specific to your environment. Finally, load the task definition in ECS.
  1. Download the Prisma Cloud Defender task definition, and open it for editing.
  2. Update the value for
    image
    to point to Prisma Cloud’s cloud registry.
    Replace the following placeholder strings with the appropriate values:
    • <ACCESS-TOKEN>
       — Your Prisma Cloud access token. All characters must be lowercase. To convert your access token to lowercase, run:
      $ echo <ACCESS-TOKEN> | tr '[:upper:]' '[:lower:]'
    • <VERSION>
       — Version of the Console image to retrieve and install. For example,
      19_11_506
      .
    • <cloud-console>
       — The DNS name for Console. Retrieved from the Manage > System > Downloads. The final wss value would look similar to
      wss://us-west1.cloud.twistlock.com:443
    • <INSTALL-BUNDLE>
       — Output from the
      installBundle
      endpoint.
  3. Go to
    Services > Compute > Elastic Container Service
    .
  4. In the left menu, click
    Task Definitions
    .
  5. Click
    Create new Task Definition
    .
  6. In
    Step 1: Select launch type compatibility
    , select
    EC2
    , then click
    Next step
    .
  7. In
    Step 2: Configure task and container definitions
    , scroll to the bottom of the page and click
    Configure via JSON
    .
  8. Delete the contents of the window, and replace it with the Prisma Cloud Console task definition
  9. Click
    Save
    .
  10. Click
    Create
    .

Launch the Prisma Cloud Defender service

Create the Defender service using the previously defined task definition. Using Daemon scheduling, one Defender will run per node in your cluster.
  1. Go to
    Services > Compute > Elastic Container Service
    .
  2. In the left menu, click
    Clusters
    .
  3. Click on your cluster.
  4. In the
    Services
    tab, then click
    Create
    .
  5. In
    Step 1: Configure service
    :
    1. For
      Launch type
      , select
      EC2
      .
    2. For
      Task Definition
      , select
      twistlock_defender
      .
    3. In
      Service Name
      , enter
      twistlock_defender
      .
    4. In
      Service Type
      , select
      Daemon
      .
    5. Click
      Next Step
      .
  6. In
    Step 2: Configure network
    , accept the defaults, and click
    Next
    .
  7. In
    Step 3: Set Auto Scaling
    , accept the defaults, and click
    Next
    .
  8. In
    Step 4: Review
    , click
    Create Service
    .
  9. Click
    View Service
    .
  10. Verify that you have Defenders running on each node in your ECS cluster.
    Go to your Prisma Cloud Console and viewing the list of Defenders in
    Manage > Defenders > Manage
    .

Recommended For You