You can run the Carbon Black Containerized Sensor on an ECS cluster to detect and enforce EDR and Container Scanning capabilities. Additionally, the Containerized Sensor can detect vulnerabilities, malware, and secrets in the runtime in an ECS Cluster.
Prerequisites
- ECS Cluster
- Carbon BlackCarbon Black Cloud Container
- Carbon Black EDR
- API key with appropriate permissions
- See:
Procedure
- Register the agent task definition and update it with the relevant environment variables from the setup wizard you ran in Set up a Containerized Sensor:
{ "family": "cbcontainers-daemon", "pidMode": "host", "networkMode": "bridge", "executionRoleArn": "<arn role with ec2 deployment permissions>", "containerDefinitions": [ { "name": "host-container-scanner", "image": "docker.io/cbartifactory/cb-containers-sensor:{sensor-version} >", "cpu": 512, "memory": 1024, "privileged": true, "environment": [ // fill environment variables list here ], "mountPoints": [ { "sourceVolume": "dockersock", "containerPath": "/var/run/docker.sock" }, { "sourceVolume": "hostname", "containerPath": "/etc/hostname" }, { "sourceVolume": "boot", "containerPath": "/boot" }, { "sourceVolume": "cb-data-dir", "containerPath": "/var/opt/carbonblack" }, { "sourceVolume": "os-release", "containerPath": "/etc/os-release" }, { "sourceVolume": "root", "containerPath": "/var/opt/root" } ], "healthCheck": { "command": [ "CMD-SHELL", "cat /tmp/ready || exit 1" ], "interval": 60, "timeout": 15, "retries": 3, "startPeriod": 60 } } ], "volumes": [ { "name": "dockersock", "host": { "sourcePath": "/var/run/docker.sock" } }, { "name": "hostname", "host": { "sourcePath": "/etc/hostname" } }, { "name": "boot", "host": { "sourcePath": "/boot" } }, { "name": "cb-data-dir", "host": { "sourcePath": "/var/opt/carbonblack" } }, { "name": "os-release", "host": { "sourcePath": "/etc/os-release" } }, { "name": "root", "host": { "sourcePath": "/" } } ], "requiresCompatibilities": [ "EC2" ] } - Register the agent task definition by using the AWS ECS user interface or the AWS CLI:
aws ecs register-task-definition --cli-input-json file://cbcontainers-daemon.json --region <region-to-apply-at>
- (Optional) To write agent logs to AWS CloudWatch, add the
logConfigurationsection inside the container definition element in the task definition:{ "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group": "cbcontainers-agent", "awslogs-region": "<region>", "awslogs-stream-prefix": "cbcontainers-agent" } } }Add the
cbcontainers-agentawslogs-group and add thelogs:CreateLogStreamandlogs:PutLogEventsActions to the ECS Role Policy. - To run the agent, create a service to run the task:
cbcontainers-daemon-svc:aws ecs create-service \ --region <region-to-apply-at> \ --cluster <your-cluster-name> \ --service-name cbcontainers-daemon-svc \ --launch-type EC2 \ --task-definition cbcontainers-daemon \ --scheduling-strategy DAEMON - To run the agent as an ECS task, add a role with the following permissions in the
executionRoleArnsection of the task definition:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeTags", "ecs:CreateCluster", "ecs:DeregisterContainerInstance", "ecs:DiscoverPollEndpoint", "ecs:Poll", "ecs:RegisterContainerInstance", "ecs:StartTelemetrySession", "ecs:UpdateContainerInstancesState", "ecs:Submit*", "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "*" } ] } - (Optional) To write agent logs to AWS CloudWatch, add the Actions
logs:CreateLogStreamandlogs:PutLogEventsto the Actions list.Note: To write the containers logs, the policy must have cloudwatch access and permissions to pull images and run ECS tasks.
