You can run the Carbon Black Containerized Sensor on an ECS cluster to detect and enforce EDR and Container Scanning capabilities. Additionally, the Containerized Sensor can detect vulnerabilities, malware, and secrets in the runtime in an ECS Cluster.

Prerequisites

You must have the following products and information:

Procedure

  1. Register the agent task definition and update it with the relevant environment variables from the setup wizard you ran in Set up a Containerized Sensor:
    {
      "family": "cbcontainers-daemon",
      "pidMode": "host",
      "networkMode": "bridge",
      "executionRoleArn": "<arn role with ec2 deployment permissions>",
      "containerDefinitions":
      [
        {
          "name": "host-container-scanner",
          "image": "docker.io/cbartifactory/cb-containers-sensor:{sensor-version} >",
          "cpu": 512,
          "memory": 1024,
          "privileged": true,
          "environment":
          [
            // fill environment variables list here
          ],
          "mountPoints":
          [
            {
              "sourceVolume": "dockersock",
              "containerPath": "/var/run/docker.sock"
            },
            {
              "sourceVolume": "hostname",
              "containerPath": "/etc/hostname"
            },
            {
              "sourceVolume": "boot",
              "containerPath": "/boot"
            },
            {
              "sourceVolume": "cb-data-dir",
              "containerPath": "/var/opt/carbonblack"
            },
            {
              "sourceVolume": "os-release",
              "containerPath": "/etc/os-release"
            },
            {
              "sourceVolume": "root",
              "containerPath": "/var/opt/root"
            }
          ],
          "healthCheck": {
            "command": [
              "CMD-SHELL",
              "cat /tmp/ready || exit 1"
            ],
            "interval": 60,
            "timeout": 15,
            "retries": 3,
            "startPeriod": 60
          }
        }
      ],
      "volumes":
      [
        {
          "name": "dockersock",
          "host":
          {
            "sourcePath": "/var/run/docker.sock"
          }
        },
        {
          "name": "hostname",
          "host":
          {
            "sourcePath": "/etc/hostname"
          }
        },
        {
          "name": "boot",
          "host":
          {
            "sourcePath": "/boot"
          }
        },
        {
          "name": "cb-data-dir",
          "host":
          {
            "sourcePath": "/var/opt/carbonblack"
          }
        },
        {
          "name": "os-release",
          "host":
          {
            "sourcePath": "/etc/os-release"
          }
        },
        {
          "name": "root",
          "host":
          {
            "sourcePath": "/"
          }
        }
      ],
      "requiresCompatibilities":
      [
        "EC2"
      ]
    }
  2. Register the agent task definition by using the AWS ECS user interface or the AWS CLI:
    aws ecs register-task-definition --cli-input-json file://cbcontainers-daemon.json --region <region-to-apply-at>
    
  3. (Optional) To write agent logs to AWS CloudWatch, add the logConfiguration section inside the container definition element in the task definition:
    {
    "logConfiguration":
          {
           "logDriver": "awslogs",
               "options":
                 {
                   "awslogs-group": "cbcontainers-agent",
                    "awslogs-region": "<region>",
                     "awslogs-stream-prefix": "cbcontainers-agent"
                 }
         }
    }
    

    Add the cbcontainers-agent awslogs-group and add the logs:CreateLogStream and logs:PutLogEvents Actions to the ECS Role Policy.

  4. To run the agent, create a service to run the task: cbcontainers-daemon-svc:
    aws ecs create-service \
        --region <region-to-apply-at> \
        --cluster <your-cluster-name> \
        --service-name cbcontainers-daemon-svc \
        --launch-type EC2 \
        --task-definition cbcontainers-daemon \
        --scheduling-strategy DAEMON
    
  5. To run the agent as an ECS task, add a role with the following permissions in the executionRoleArn section of the task definition:
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:DescribeTags",
                    "ecs:CreateCluster",
                    "ecs:DeregisterContainerInstance",
                    "ecs:DiscoverPollEndpoint",
                    "ecs:Poll",
                    "ecs:RegisterContainerInstance",
                    "ecs:StartTelemetrySession",
                    "ecs:UpdateContainerInstancesState",
                    "ecs:Submit*",
                    "ecr:GetAuthorizationToken",
                    "ecr:BatchCheckLayerAvailability",
                    "ecr:GetDownloadUrlForLayer",
                    "ecr:BatchGetImage"
                ],
                "Resource": "*"
            }
        ]
    }
  6. (Optional) To write agent logs to AWS CloudWatch, add the Actions logs:CreateLogStream and logs:PutLogEvents to the Actions list.
    Note: To write the containers logs, the policy must have cloudwatch access and permissions to pull images and run ECS tasks.