1. Overview

AWS Fargate is a serverless compute engine for containers under Amazon ECS that lets you run containers without needing to provision and manage servers and hosts. Each container is defined as part of a task and several containers can be run as part of the same task.

Prisma Cloud can scan Fargate tasks for compliance issues. To see the scan report for your Fargate task images, go to Monitor > Compliance > Images > Deployed and filter the table with Fargate:Select.

Prisma Cloud Compute labels all containers running within the same task as if they run on the same host. For containers that are running in Fargate, the Host column will contain the Fargate task identifier.

2. Create compliance rules for Fargate tasks

Create a compliance rule for Fargate tasks in scope.

  1. Login to the Console.

  2. Go to Defend > Compliance > Containers and images > Deployed.

  3. Click Add rule.

  4. Enter a rule name.

  5. Click on Scope to select a relevant collection, or create a new collection for your Fatgate tasks:

    1. Click Add collection.

    2. Enter collection name.

    3. In the host you can type the name of the required Fargate task name or postfix wildcards.

      For example fargate, fargate-vulnerability-compliance-task.

    4. Click Save.

    5. Select the new Fargate task collection.

    6. Click Select collection.

  6. Click Save.

    The block action doesn’t apply to Fargate tasks.
    fargate collection image

3. Compliance check details

The following checks are supported for Fargate tasks:

424: Sensitive information provided in environment variables

Checks if images contain sensitive information in their environment variables.

425: Private keys stored in image

Searches for private keys stored in an image or serverless function.

426: Image contains binaries used for crypto mining

Detects when there are crypto miners in an image. Attackers have been quietly poisoning registries and injecting crypto mining tools into otherwise legitimate images.

448: Package binaries should not be altered

Checks the integrity of package binaries in an image. During an image scan, every binary’s checksum is compared with its package info.

Custom compliance

Custom checks capability works only for tasks that allows users with root privileges. Custom image checks give you a way to write and run your own compliance checks to assess, measure, and enforce security baselines in your environment. For more information, see Custom compliance checks.

4. Deploy Fargate task

Deploy the fargate-vulnerability-compliance-task Fargate task (described below), following the steps in Embed App-Embedded Defender into Fargate tasks.

4.1. Example task definition

You can use the following task definition to test Prisma Cloud’s App-Embedded Defender. The task deploys a ubuntu:18.04 container and runs the /bin/sh -c 'cp /bin/sleep /tmp/xmrig command that triggers the Image contains binaries used for crypto mining compliance check.

{
  "containerDefinitions": [
     {
        "command": [
           "/bin/sh -c 'cp /bin/sleep /tmp/xmrig && echo \"[+] Sleeping...\" && while true; do sleep 1000 ; done'"
        ],
        "entryPoint": [
           "sh",
           "-c"
        ],
        "essential": true,
        "image": "ubuntu:18.04",
        "logConfiguration": {
           "logDriver": "awslogs",
           "options": {
              "awslogs-group" : "/ecs/fargate-task-definition",
              "awslogs-region": "us-east-1",
              "awslogs-stream-prefix": "ecs"
           }
        },
        "name": "Fargate-vul-comp-test",
        "portMappings": [
           {
              "containerPort": 80,
              "hostPort": 80,
              "protocol": "tcp"
           }
        ]
     }
  ],
  "cpu": "256",
  "executionRoleArn": "arn:aws:iam::012345678910:role/ecsTaskExecutionRole",
  "family": "fargate-vulnerability-compliance-task",
  "memory": "512",
  "networkMode": "awsvpc",
  "requiresCompatibilities": [
      "FARGATE"
   ]
}

5. View compliance scan results

  1. Navigate to Monitor > Compliance > Images > Deployed and validate that the deployed image appears with an alerted compliance check.

  2. To see all images that are related to Fargate tasks, filter the image table by adding the Fargate:Select filter.

    You can also filter the results by a specific task name or postfix wildcards. For example: fargate-task OR fargate-task*. Use the Hosts: filter to filter the table specifically by hosts.

    fargate select filter comp
  3. Search for the fargate-vulnerability-compliance-task Fargate task.

  4. Click on the image to view image details:

    1. The associated vulnerabilities will appear under the Vulnerabilities tab

    2. Under the Compliance tab, see the following compliance issue: Image contains binaries used for crypto mining

    3. See the related fargate tasks under the Environment > Fargate Tasks tab.

      the Host column represents the number of hosts and Fargate tasks that this image is associated with.
      Runtime, Layers, Processes info and Labels tabs are not supported for images scanning by Fargate defenders.
      fargate image comp scan result