You can run the Carbon Black Containerized Sensor on an ECS cluster to detect and enforce EDR and Container Scanning capabilities. Additionally, the Containerized Sensor can detect vulnerabilities, malware, and secrets in the runtime in an ECS Cluster.
Prerequisites
- ECS Cluster
- Carbon BlackCarbon Black Cloud Container
- Carbon Black EDR
- API key with appropriate permissions
- See:
Procedure
- Register the agent task definition and update it with the relevant environment variables from the setup wizard you ran in Set up a Containerized Sensor:
{ "family": "cbcontainers-daemon", "pidMode": "host", "networkMode": "bridge", "executionRoleArn": "<arn role with ec2 deployment permissions>", "containerDefinitions": [ { "name": "host-container-scanner", "image": "docker.io/cbartifactory/cb-containers-sensor:{sensor-version} >", "cpu": 512, "memory": 1024, "privileged": true, "environment": [ // fill environment variables list here ], "mountPoints": [ { "sourceVolume": "dockersock", "containerPath": "/var/run/docker.sock" }, { "sourceVolume": "hostname", "containerPath": "/etc/hostname" }, { "sourceVolume": "boot", "containerPath": "/boot" }, { "sourceVolume": "cb-data-dir", "containerPath": "/var/opt/carbonblack" }, { "sourceVolume": "os-release", "containerPath": "/etc/os-release" }, { "sourceVolume": "root", "containerPath": "/var/opt/root" } ], "healthCheck": { "command": [ "CMD-SHELL", "cat /tmp/ready || exit 1" ], "interval": 60, "timeout": 15, "retries": 3, "startPeriod": 60 } } ], "volumes": [ { "name": "dockersock", "host": { "sourcePath": "/var/run/docker.sock" } }, { "name": "hostname", "host": { "sourcePath": "/etc/hostname" } }, { "name": "boot", "host": { "sourcePath": "/boot" } }, { "name": "cb-data-dir", "host": { "sourcePath": "/var/opt/carbonblack" } }, { "name": "os-release", "host": { "sourcePath": "/etc/os-release" } }, { "name": "root", "host": { "sourcePath": "/" } } ], "requiresCompatibilities": [ "EC2" ] }
- Register the agent task definition by using the AWS ECS user interface or the AWS CLI:
aws ecs register-task-definition --cli-input-json file://cbcontainers-daemon.json --region <region-to-apply-at>
- (Optional) To write agent logs to AWS CloudWatch, add the
logConfiguration
section inside the container definition element in the task definition:{ "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group": "cbcontainers-agent", "awslogs-region": "<region>", "awslogs-stream-prefix": "cbcontainers-agent" } } }
Add the
cbcontainers-agent
awslogs-group and add thelogs:CreateLogStream
andlogs:PutLogEvents
Actions to the ECS Role Policy. - To run the agent, create a service to run the task:
cbcontainers-daemon-svc
:aws ecs create-service \ --region <region-to-apply-at> \ --cluster <your-cluster-name> \ --service-name cbcontainers-daemon-svc \ --launch-type EC2 \ --task-definition cbcontainers-daemon \ --scheduling-strategy DAEMON
- To run the agent as an ECS task, add a role with the following permissions in the
executionRoleArn
section of the task definition:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeTags", "ecs:CreateCluster", "ecs:DeregisterContainerInstance", "ecs:DiscoverPollEndpoint", "ecs:Poll", "ecs:RegisterContainerInstance", "ecs:StartTelemetrySession", "ecs:UpdateContainerInstancesState", "ecs:Submit*", "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "*" } ] }
- (Optional) To write agent logs to AWS CloudWatch, add the Actions
logs:CreateLogStream
andlogs:PutLogEvents
to the Actions list.Note: To write the containers logs, the policy must have cloudwatch access and permissions to pull images and run ECS tasks.