1. Overview

App-Embedded Defenders for Fargate monitor your tasks to ensure they execute as designed, protecting tasks from suspicious processes and outbound network connections.

App-Embedded Defender policies let you define:

  • Process allow or deny lists. Enables verification of launched processes against policy.

  • Outgoing connections allow or deny lists. Enables verification of domain name resolution against policy for outgoing network connections.

Besides runtime policy, you can also configure the WAAS application firewall to protect front-end Fargate tasks.

2. Architecture

When you embed the App-Embedded Defender into your Fargate task, Prisma Cloud modifies the task definition. The updated task definition includes a Prisma Cloud sidecar container. The sidecar container handles all communication with Console, including retrieving policies and sending audits. It also hosts the App-Embedded Defender binaries, which are shared with the task’s other containers through a shared volume. The embed process modifies each containerDefinition to:

  • Mount the Prisma Cloud sidecar container’s shared volume to gain access to the App-Embedded Defender binaries.

  • Start the original entrypoint command under the control of App-Embedded Defender.

App-Embedded Defenders do not communicate directly with Console. All communication is proxied through the Prisma Cloud sidecar container. The following diagram illustrates the setup: