1. Overview

This quickstart guide shows you how to deploy Prisma Cloud defenders on a simple cluster that has two worker nodes.

Defender protects your containerized environment according to the policies you set in Prisma Cloud Console.

To automatically deploy an instance of Defender on each worker node in your cluster, you will use a user data script in the worker node launch configuration. User data scripts run custom configuration commands when a new instance is started. You will set up the user data script to call the Prisma Cloud API to download, install, and start Defender.

This guide assumes you know very little about AWS ECS. As such, it is extremely prescriptive. If you are already familiar with AWS ECS and do not need assistance navigating the interface, simply read the section synopsis, which summarizes all key configurations.
We assume you are deploying Prisma Cloud to the default VPC. If you are not using the default VPC, adjust your settings accordingly.

2. Key details

There are a number of AWS resource identifiers and other details that are used throughout the install procedure. You should create a list of the following details for easy retrieval during the installation process.

Cluster name: retain this after creating the ECS cluster. Default value: pc-ecs-cluster.

Security group name: retain this after creating the security group. Default value: pc-security-group.

Console: retain this when instructed how to retrieve the Console API address.

Token: retain this when instructed how to retrieve the authentication API token.

installBundle: retain this when instructed how to retrieve the installBundle.

Access Token: Access token for Prisma Cloud.

Version: The version of Prisma Cloud you are currently using, for example 20_04_169

3. Create a cluster

Create an empty cluster named pc-ecs-cluster. Later, you will create launch configurations and auto-scaling groups to start EC2 instances in the cluster.

  1. Log into the AWS Management Console.

  2. Go to Services > Containers > Elastic Container Service.

  3. Click Create Cluster.

  4. Select Networking only, then click Next Step.

  5. Enter a cluster name, such as pc-ecs-cluster.

  6. Click Create.

4. Create a security group

Create a new security group named pc-security-group that opens port 8084. This security group will be associated with the EC2 instances started in your cluster.

Defender and Console communicate over a secure web socket on port 8084.

Inbound connection to port 2049 is required to setup the NFS.

Open port 22 so that you can SSH to any machine in the cluster.

Additional hardening can be performed as desired for the below roles. for example, limiting access to port 22 only to IPs from which you are planned to connect to your instances via SSH.

  1. Go to Services > Compute > EC2.

  2. In the left menu, click NETWORK & SECURITY > Security Groups.

  3. Click Create Security Group.

  4. In Security group name, enter a name, such as pc-security-group.

  5. In Description, enter Prisma Cloud ports.

  6. In VPC, select your default VPC.

  7. Under the Inbound rules section, click Add Rule.

    1. Under Type, select Custom TCP.

    2. Under Port Range, enter 2049.

    3. Under Source, select Anywhere.

  8. Under the Inbound rules section, Click Add Rule.

    1. Under Type, select SSH.

    2. Under Source, select Anywhere.

  9. Click Create.

5. Deploy Defender

Launch an infrastructure node that runs in the cluster

You are now ready to deploy your worker nodes. You will create worker nodes that run in the cluster, an ECS Task Definition for the Prisma Cloud Defender, then create a service of type Daemon to ensure that the Defender is deployed across your ECS cluster.

5.1. Create a launch configuration for worker nodes

Create a launch configuration named pc-worker-node that:

  • Runs the Amazon ECS-Optimized Amazon Linux 2 AMI.

  • Uses the ecsInstanceRole IAM role.

  • Runs a user data script that joins the pc-ecs-cluster and runs the commands required to install Defender.

  1. Go to Services > Compute > EC2.

  2. In the left menu, click AUTO SCALING > Launch Configurations.

  3. Click Create Launch Configuration

  4. Choose an AMI:

    1. Click AWS Marketplace.

    2. In the search box, enter Amazon ECS-Optimized Amazon Linux 2 AMI.

    3. Click Select for Amazon ECS-Optimized Amazon Linux 2 AMI.

  5. Choose an instance type.

    1. Select t2.medium.

    2. Click Next: Configure details.

  6. Configure details.

    1. In Name, enter a name for your launch configuration, such as pc-worker-node.

    2. In IAM role, select ecsInstanceRole.

    3. Select Enable CloudWatch detailed monitoring.

    4. Expand Advanced Details,

    5. In User Data, enter the following text:

      #!/bin/bash
      echo ECS_CLUSTER=pc-ecs-cluster >> /etc/ecs/ecs.config

      Where:

      • ECS_CLUSTER must match your cluster name. If you’ve named your cluster something other than pc_ecs_cluster, then modify your User Data script accordingly.

    6. (Optional) Under IP Address Type, select Assign a public IP address to every instance.

      With this option, you can easily SSH to any worker nodes instances and troubleshoot issues.

    7. Click Next: Add Storage.

  7. Add Storage.

    • Accept the defaults, and click Next: Configure Security Group.

  8. Configure security group.

    1. Under Assign a security group, choose Select an existing security group.

    2. Select pc-security-group.

    3. Click Review.

  9. Review.

    • Review the configuration and select Create launch configuration.

  10. Select an existing key pair, or create a new key pair so that you can access your instance.

5.2. Create an auto scaling group for the worker nodes

Launch two worker nodes into your cluster.

  1. Go to Services > Compute > EC2.

  2. In the left menu, click AUTO SCALING > Auto Scaling Groups.

  3. Click Create Auto Scaling group:

    1. Select Launch Configuration

    2. Select pc-worker-node.

    3. Click Next Step.

  4. Configure Auto Scaling group details:

    1. In Group Name, enter pc-worker-autoscaling.

    2. Set Group size to 2.

    3. Under Network, select your default VPC.

    4. Under Subnet, select a public subnet, such as 172.31.0.0/20.

    5. Click Next: Configure scaling policies.

  5. Configure scaling policies.

    1. Select Keep this group at its initial size.

    2. Click Next: Configure Notifications.

  6. Configure Notifications.

    1. Click Next: Configure Tags.

  7. Configure Tags.

    1. Under Key, enter Name.

    2. Under Value, enter pc-worker-node.

    3. Click Review.

  8. Review the configuration and click Create Auto Scaling Group.

  9. After the auto scaling group spins up (it will take some time), validate that your cluster has two container instances.

    1. Go to Services > Containers > Elastic Container Service.

    2. The count for Container instances in your cluster should now be a total of two.

5.3. Generate install bundle for Defender

Generate install bundle which will be used in Defender’s task definition.

  1. Retrieve Console’s API address:

    1. Sign into Prisma Cloud.

    2. Go to Compute > Manage > System > Downloads.

    3. Copy and retain the URL under Path to Console. This address will be used for API calls.

  2. Retrieve API access token

    1. Sign into Prisma Cloud.

    2. Go to Compute > Manage > Authentication > User Certificates.

    3. Copy and retain the API token

  3. Retrieve the service parameter from the Prisma Cloud API.

    $ curl -k -s \
      -H 'Content-Type: application/json' \
      -H 'Authorization: Bearer <token>' \
      -X GET \
      https://<Console>/api/v1/certs/service-parameter \
      -o service-parameter
    • Replace <token> with the retrieved API token from Compute > Manage > Authentication > User Certificates.

    • Replace <Console> with the retrieved Console address URL from Compute > Manage > System > Downloads tab. This will be the full string, for example, the URL may look like https://us-region1.cloud.twistlock.com/us-1-234567 .

  4. Ensure the jq package is installed.

  5. Retrieve and retain the installBundle from the Prisma Cloud API:

    $ curl -k \
      -H 'Content-Type: application/json' \
      -H 'Authorization: Bearer <token>' \
      -X GET \
      "https://<Console>/api/v1/defenders/install-bundle?consoleaddr=<ConsoleAddr>&defenderType=appEmbedded" | jq -r '.installBundle' > install-bundle
    • Replace <token> with the retrieved API token from Compute > Manage > Authentication > User Certificates.

    • Replace <Console> with the retrieved Console address URL from Compute > Manage > System > Downloads tab. This will be the full string, for example, the URL may look like https://us-region1.cloud.twistlock.com/us-1-234567 .

    • Replace <ConsoleAddr> with the first string of the URL (without the ID). For example, the URL may look like https://us-region1.cloud.twistlock.com/us-1-234567 , use just "us-region1.cloud.twistlock.com".

6. Create a Prisma Cloud Defender task definition

Prisma Cloud provides a task definition template for Defender. Download the template, then update the variables specific to your environment. Finally, load the task definition in ECS.

  1. Download the Prisma Cloud Defender task definition, and open it for editing.

  2. Apply the following changes to the task definition:

    1. Modify the WS_ADDRESS parameter to the DNS of the Console.

      • <CONSOLE-DNS> - The URL retrieved for your Console without the HTTPS:// prefix and the ID suffix). For example, The URL retrieved for your Console would look similar to https://us-west1.cloud.twistlock.com/us-0-123456789. Use just us-west1.cloud.twistlock.com for the wss address - wss://us-west1.cloud.twistlock.com

      • <PORT> — Use 443.

    2. <INSTALL-BUNDLE> — Output from the installBundle endpoint.

    3. <SERVICE-PARAMETER> — Output from the service-parameter endpoint.

    4. Update the value for image to point to Prisma Cloud’s public registry by replacing the following placeholder strings with the appropriate values:

      • <ACCESS-TOKEN> — Your Prisma Cloud access token. This is located in your Console under Manage > System > Intelligence.

        All characters must be lowercase.

        To convert your access token to lowercase, run:

        $ echo <ACCESS-TOKEN> | tr '[:upper:]' '[:lower:]'
      • <VERSION> — Version of the Defender image to use.

        For example: for version 20.04.177, specify 20_04_177. The image will look similar to defender:defender_20_04_177.

  3. Go to Services > Containers > Elastic Container Service.

  4. In the left menu, click Task Definitions.

  5. Click Create new Task Definition.

  6. In Step 1: Select launch type compatibility, select EC2, then click Next step.

  7. In Step 2: Configure task and container definitions, scroll to the bottom of the page and click Configure via JSON.

  8. Delete the contents of the window, and replace it with the Prisma Cloud Console task definition

  9. Click Save.

    1. (Optional) Change the task definition name before creating. The JSON will default the name to pc-defender.

  10. Click Create.

6.1. Launch the Prisma Cloud Defender service

Create the Defender service using the previously defined task definition. Using Daemon scheduling, one Defender will run per node in your cluster.

  1. Go to Services > Containers > Elastic Container Service.

  2. In the left menu, click Clusters.

  3. Click on your cluster.

  4. In the Services tab, then click Create.

  5. In Step 1: Configure service:

    1. For Launch type, select EC2.

    2. For Task Definition, select pc-defender.

    3. In Service Name, enter pc-defender.

    4. In Service Type, select Daemon.

    5. Click Next Step.

  6. In Step 2: Configure network, accept the defaults, and click Next step.

  7. In Step 3: Set Auto Scaling, accept the defaults, and click Next step.

  8. In Step 4: Review, click Create Service.

  9. Click View Service.

  10. Verify that you have Defenders running on each node in your ECS cluster.

    • Go to your Prisma Cloud Console and view the list of Defenders in Manage > Defenders > Manage. You should be able to see two new defenders that are connected for a few minutes for two different ECS instances.