AWS ECS (EC2 Provider)
Deployed as a daemon service using a task definition
In AWS ECS, the ThreatStryker sensors are deployed as a daemon service using task definition.
Prerequisites
Make sure you have the following information:
- Quay login, later referred as
<QUAY_LOGIN> - Quay password, later referred as
<QUAY_PASSWORD> - Management console URL/IP, later referred as
<MGMT_CONSOLE_URL> - Deepfence API key, later referred as
<DEEPFENCE_KEY>(This key can be found from the management console, in the settings > User > API Key)
Installing on AWS ECS (EC2 Provider)
- Add secret for quay login
- Go to the secret manager dashboard from the AWS Console
- Select "Store a new secret"
- Select "Other type of secret"
- Select "Plaintext" and paste the following:
{
"username" : "<QUAY_LOGIN>",
"password" : "<QUAY_PASSWORD>"
}
Create the secret and store the ARN. We will refer to it as <ARN_QUAY_CREDS>
- Add secret for Deepfence API key
- Go to the secret manager dashboard from the AWS Console
- Select "Store a new secret"
- Select "Other type of secret"
- Select "Plaintext" and paste the following:
{
"deepfence_api_key" : "<DEEPFENCE_KEY>"
}
Create the secret and store the ARN. We will refer to it as <API_KEY_SECRET_ARN>
caution
Be careful with the double quotes, sometimes the AWS UI transforms them into a special character that is not recognized as valid JSON.
- Create a new role (e.g.:
deepfence-agent-role)- Go to the IAM dashboard from AWS Console
- Go to Access management > roles
- Select "Create Role",
- Select "Custom trust policy"
- Paste the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Then continue:
- Search in the "Permissions policies" for "Task" > Select the following policy: `AmazonECSTaskExecutionRolePolicy`
- Click "Next", name the role `deepfence-agent-role`, then "Create role"
- Store the Role ARN. We will refer to it as `<AGENT_TASK_ROLE_ARN>`
- Search for your newly created role
- Click on it (`deepfence-agent-role` in our example)
- Select "Add permissions" > "Create inline policy" and add:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"<ARN_QUAY_CREDS>",
"<API_KEY_SECRET_ARN>"
]
}
]
}
```
- If you are using a custom KMS key for your secrets and not using the default key, you will also need to add the KMS key permissions to your inline policy:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"secretsmanager:GetSecretValue"
],
"Resource": [
"<ARN_QUAY_CREDS>",
"<API_KEY_SECRET_ARN>",
"<custom_kms_key_arn>"
]
}
]
}
```
Then create the new policy.
Create new task definition for deepfence agent
Use Old ECS Experience (old UI)
Go to the "Elastic Container Service" dashboard from AWS console
In the top left corner, disable new UI to use the legacy UI.
Go to "Task Definitions"
Select "Create new Task Definition"
Select EC2, then "Next step"
At the bottom, select "Configure via JSON"
Copy and paste the following JSON configuration: (Replace
<DEEPFENCE_KEY>,<MGMT_CONSOLE_URL>,<ARN_QUAY_CREDS>,<API_KEY_SECRET_ARN>and<AGENT_TASK_ROLE_ARN>with actual values){
"ipcMode": null,
"containerDefinitions": [
{
"dnsSearchDomains": [],
"environmentFiles": null,
"logConfiguration": null,
"entryPoint": [],
"portMappings": [],
"command": [],
"linuxParameters": null,
"cpu": 0,
"environment": [
{
"name": "DF_FIM_ON",
"value": "N"
},
{
"name": "DF_TRAFFIC_ANALYSIS_MODE",
"value": "all"
},
{
"name": "DEFENDERD_DISABLE_XFF_PROTECTION",
"value": "false"
},
{
"name": "DEFENDERD_TCP_BUFFER_LIMIT",
"value": "500MB"
},
{
"name": "DF_TRAFFIC_ANALYSIS_ON",
"value": "Y"
},
{
"name": "MGMT_CONSOLE_URL",
"value": "<MGMT_CONSOLE_URL>"
},
{
"name": "USER_DEFINED_TAGS",
"value": ""
}
],
"resourceRequirements": null,
"ulimits": null,
"repositoryCredentials": {
"credentialsParameter": "<ARN_QUAY_CREDS>"
},
"dnsServers": [],
"mountPoints": [
{
"readOnly": true,
"containerPath": "/fenced/mnt/host",
"sourceVolume": "Host"
},
{
"readOnly": false,
"containerPath": "/sys/kernel/debug",
"sourceVolume": "SysKernelDebug"
},
{
"readOnly": false,
"containerPath": "/sys/fs/bpf",
"sourceVolume": "SysFsBpf"
},
{
"readOnly": false,
"containerPath": "/var/run/docker.sock",
"sourceVolume": "DockerSock"
},
{
"readOnly": false,
"containerPath": "/var/log/fenced",
"sourceVolume": "VarLogFenced"
}
],
"workingDirectory": null,
"secrets": [
{
"name": "DEEPFENCE_KEY",
"valueFrom": "<API_KEY_SECRET_ARN>:deepfence_api_key::"
}
],
"dockerSecurityOptions": [],
"memory": null,
"memoryReservation": null,
"volumesFrom": [],
"stopTimeout": null,
"image": "quay.io/deepfenceio/deepfence_agent:2.0.1",
"startTimeout": null,
"firelensConfiguration": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": [],
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": {},
"systemControls": [],
"privileged": true,
"name": "deepfence"
}
],
"placementConstraints": [],
"executionRoleArn": "<AGENT_TASK_ROLE_ARN>",
"taskRoleArn": "<AGENT_TASK_ROLE_ARN>",
"memory": "2048",
"family": "deepfence-agent-ec2-task",
"pidMode": null,
"requiresCompatibilities": [
"EC2"
],
"networkMode": "host",
"runtimePlatform": {
"operatingSystemFamily": "LINUX",
"cpuArchitecture": "X86_64"
},
"cpu": "512",
"inferenceAccelerators": null,
"proxyConfiguration": null,
"volumes": [
{
"fsxWindowsFileServerVolumeConfiguration": null,
"efsVolumeConfiguration": null,
"name": "SysKernelDebug",
"host": {
"sourcePath": "/sys/kernel/debug"
},
"dockerVolumeConfiguration": null
},
{
"fsxWindowsFileServerVolumeConfiguration": null,
"efsVolumeConfiguration": null,
"name": "SysFsBpf",
"host": {
"sourcePath": "/sys/fs/bpf"
},
"dockerVolumeConfiguration": null
},
{
"fsxWindowsFileServerVolumeConfiguration": null,
"efsVolumeConfiguration": null,
"name": "DockerSock",
"host": {
"sourcePath": "/var/run/docker.sock"
},
"dockerVolumeConfiguration": null
},
{
"fsxWindowsFileServerVolumeConfiguration": null,
"efsVolumeConfiguration": null,
"name": "VarLogFenced",
"host": {
"sourcePath": null
},
"dockerVolumeConfiguration": null
},
{
"fsxWindowsFileServerVolumeConfiguration": null,
"efsVolumeConfiguration": null,
"name": "Host",
"host": {
"sourcePath": "/"
},
"dockerVolumeConfiguration": null
}
]
}Select the container "deepfence" and select
Auto-configure CloudWatch LogsforLog configurationThen create the new task definition.
Create a new service to execute the Task and deploy the agent
- Use Old ECS Experience (old UI)
- Go to the "Elastic Container Service" dashboard from the AWS console
- Go to "Task definitions"
- Select previously created task definition
- Select "Actions" > "Create service"
- Select Launch type:
EC2 - Choose the ECS cluster to deploy
- Provide a name to your service (e.g.
deepfence-agent-ec2-service) - Set
Service TypeasDAEMON - Create the service
Monitor the service creation and check if the task is in running state. It can take a couple of minutes
If the task is running, you should see the agent appearing in your console, well done!