AWS ECS (EC2 Provider)
Deployed as a daemon service using a task definition
In AWS ECS, the ThreatStryker sensors are deployed as a daemon service using task definition.
Prerequisites
Make sure you have the following information:
- Quay login, later referred as
<QUAY_LOGIN> - Quay password, later referred as
<QUAY_PASSWORD> - Management console URL/IP, later referred as
<MGMT_CONSOLE_URL> - Deepfence API key, later referred as
<DEEPFENCE_KEY>(This key can be found from the management console, in the settings > User > API Key)
Installing on AWS ECS (EC2 Provider)
- Add secret for quay login
- Go to the secret manager dashboard from the AWS Console
- Select "Store a new secret"
- Select "Other type of secret"
- Select "Plaintext" and paste the following:
{
"username" : "<QUAY_LOGIN>",
"password" : "<QUAY_PASSWORD>"
}
Create the secret and store the ARN. We will refer to it as <ARN_QUAY_CREDS>
- Add secret for Deepfence API key
- Go to the secret manager dashboard from the AWS Console
- Select "Store a new secret"
- Select "Other type of secret"
- Select "Plaintext" and paste the following:
{
"deepfence_api_key" : "<DEEPFENCE_KEY>"
}
Create the secret and store the ARN. We will refer to it as <API_KEY_SECRET_ARN>
Be careful with the double quotes, sometimes the AWS UI transforms them into a special character that is not recognized as valid JSON.
- Create a new role (e.g.:
deepfence-agent-role)- Go to the IAM dashboard from AWS Console
- Go to Access management > roles
- Select "Create Role",
- Select "Custom trust policy"
- Paste the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Then continue:
-
Search in the "Permissions policies" for "Task" > Select the following policy:
AmazonECSTaskExecutionRolePolicy -
Click "Next", name the role
deepfence-agent-role, then "Create role" -
Store the Role ARN. We will refer to it as
<AGENT_TASK_ROLE_ARN> -
Search for your newly created role
-
Click on it (
deepfence-agent-rolein our example) -
Select "Add permissions" > "Create inline policy" and add:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"<ARN_QUAY_CREDS>",
"<API_KEY_SECRET_ARN>"
]
}
]
} -
If you are using a custom KMS key for your secrets and not using the default key, you will also need to add the KMS key permissions to your inline policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"secretsmanager:GetSecretValue"
],
"Resource": [
"<ARN_QUAY_CREDS>",
"<API_KEY_SECRET_ARN>",
"<custom_kms_key_arn>"
]
}
]
}
Then create the new policy.
-
Create new task definition for deepfence agent
-
Use Old ECS Experience (old UI)
-
Go to the "Elastic Container Service" dashboard from AWS console
-
In the top left corner, disable new UI to use the legacy UI.
-
Go to "Task Definitions"
-
Select "Create new Task Definition"
-
Select EC2, then "Next step"
-
At the bottom, select "Configure via JSON"
-
Copy and paste the following JSON configuration: (Replace
<DEEPFENCE_KEY>,<MGMT_CONSOLE_URL>,<ARN_QUAY_CREDS>,<API_KEY_SECRET_ARN>and<AGENT_TASK_ROLE_ARN>with actual values){
"ipcMode": null,
"containerDefinitions": [
{
"dnsSearchDomains": [],
"environmentFiles": null,
"logConfiguration": null,
"entryPoint": [],
"portMappings": [],
"command": [],
"linuxParameters": null,
"cpu": 0,
"environment": [
{
"name": "DF_FIM_ON",
"value": "N"
},
{
"name": "DF_TRAFFIC_ANALYSIS_MODE",
"value": "all"
},
{
"name": "DEFENDERD_DISABLE_XFF_PROTECTION",
"value": "false"
},
{
"name": "DEFENDERD_TCP_BUFFER_LIMIT",
"value": "500MB"
},
{
"name": "DF_TRAFFIC_ANALYSIS_ON",
"value": "Y"
},
{
"name": "MGMT_CONSOLE_URL",
"value": "<MGMT_CONSOLE_URL>"
},
{
"name": "USER_DEFINED_TAGS",
"value": ""
}
],
"resourceRequirements": null,
"ulimits": null,
"repositoryCredentials": {
"credentialsParameter": "<ARN_QUAY_CREDS>"
},
"dnsServers": [],
"mountPoints": [
{
"readOnly": true,
"containerPath": "/fenced/mnt/host",
"sourceVolume": "Host"
},
{
"readOnly": false,
"containerPath": "/sys/kernel/debug",
"sourceVolume": "SysKernelDebug"
},
{
"readOnly": false,
"containerPath": "/sys/fs/bpf",
"sourceVolume": "SysFsBpf"
},
{
"readOnly": false,
"containerPath": "/var/run/docker.sock",
"sourceVolume": "DockerSock"
},
{
"readOnly": false,
"containerPath": "/var/log/fenced",
"sourceVolume": "VarLogFenced"
}
],
"workingDirectory": null,
"secrets": [
{
"name": "DEEPFENCE_KEY",
"valueFrom": "<API_KEY_SECRET_ARN>:deepfence_api_key::"
}
],
"dockerSecurityOptions": [],
"memory": null,
"memoryReservation": null,
"volumesFrom": [],
"stopTimeout": null,
"image": "quay.io/deepfenceio/deepfence_agent:3.7.3",
"startTimeout": null,
"firelensConfiguration": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": [],
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": {},
"systemControls": [],
"privileged": true,
"name": "deepfence"
}
],
"placementConstraints": [],
"executionRoleArn": "<AGENT_TASK_ROLE_ARN>",
"taskRoleArn": "<AGENT_TASK_ROLE_ARN>",
"memory": "2048",
"family": "deepfence-agent-ec2-task",
"pidMode": null,
"requiresCompatibilities": [
"EC2"
],
"networkMode": "host",
"runtimePlatform": {
"operatingSystemFamily": "LINUX",
"cpuArchitecture": "X86_64"
},
"cpu": "512",
"inferenceAccelerators": null,
"proxyConfiguration": null,
"volumes": [
{
"fsxWindowsFileServerVolumeConfiguration": null,
"efsVolumeConfiguration": null,
"name": "SysKernelDebug",
"host": {
"sourcePath": "/sys/kernel/debug"
},
"dockerVolumeConfiguration": null
},
{
"fsxWindowsFileServerVolumeConfiguration": null,
"efsVolumeConfiguration": null,
"name": "SysFsBpf",
"host": {
"sourcePath": "/sys/fs/bpf"
},
"dockerVolumeConfiguration": null
},
{
"fsxWindowsFileServerVolumeConfiguration": null,
"efsVolumeConfiguration": null,
"name": "DockerSock",
"host": {
"sourcePath": "/var/run/docker.sock"
},
"dockerVolumeConfiguration": null
},
{
"fsxWindowsFileServerVolumeConfiguration": null,
"efsVolumeConfiguration": null,
"name": "VarLogFenced",
"host": {
"sourcePath": null
},
"dockerVolumeConfiguration": null
},
{
"fsxWindowsFileServerVolumeConfiguration": null,
"efsVolumeConfiguration": null,
"name": "Host",
"host": {
"sourcePath": "/"
},
"dockerVolumeConfiguration": null
}
]
} -
Select the container "deepfence" and select
Auto-configure CloudWatch LogsforLog configuration -
Then create the new task definition.
-
-
Create a new service to execute the Task and deploy the agent
- Use Old ECS Experience (old UI)
- Go to the "Elastic Container Service" dashboard from the AWS console
- Go to "Task definitions"
- Select previously created task definition
- Select "Actions" > "Create service"
- Select Launch type:
EC2 - Choose the ECS cluster to deploy
- Provide a name to your service (e.g.
deepfence-agent-ec2-service) - Set
Service TypeasDAEMON - Create the service
-
Monitor the service creation and check if the task is in running state. It can take a couple of minutes
-
If the task is running, you should see the agent appearing in your console, well done!