1. Overview

This guide shows you how to deploy Prisma Cloud Defenders in an ECS cluster.

Defender protects your containerized environment according to the policies you set in Prisma Cloud Console. It runs as a service in your ECS cluster. The parameters of the service are described in a task definition, and the task definition is written in JSON format. To automatically deploy an instance of Defender on each node in your cluster, you’ll run the Defender task as a daemon service.

This guide assumes you know very little about AWS ECS. As such, it is extremely prescriptive, and includes step for building your cluster. If you are already familiar with AWS ECS and do not need assistance navigating the interface, simply read the section synopsis, which summarizes all key configurations.

1.1. Cluster context

Prisma Cloud can segment your environment by cluster. For example, you might have three clusters: test, staging, and production. The cluster pivot in Prisma Cloud lets you inspect resources and administer security policy on a per-cluster basis.

radar clusters pivot

Defenders in each DaemonSet are responsible for reporting which resources belong to which cluster. When deploying a Defender DaemonSet, Prisma Cloud tries to determine the cluster name through introspection. First, it tries to retrieve the cluster name from the cloud provider. As a fallback, it tries to retrieve the name from the corresponding kubeconfig file saved in the credentials store. Finally, you can override these mechanisms by manually specifying a cluster name when deploying your Defender DaemonSet.

Both the Prisma Cloud UI and twistcli tool accept an option for manually specifying a cluster name. Let Prisma Cloud automatically detect the name for provider-managed clusters. Manually specify names for self-managed clusters, such as those built with kops.

Radar lets you explore your environment cluster-by-cluster. You can also create stored filters (also known as collections) based on cluster names. Finally, you can scope policy by cluster. Vulnerability and compliance rules for container images and hosts, runtime rules for container images, and trusted images rules can all be scoped by cluster name.

There are some things to consider when manually naming clusters:

  • If you specify the same name for two or more clusters, they’re treated as a single cluster.

  • For GCP, if you have clusters with the same name in different projects, they’re treated as a single cluster. Consider manually specifying a different name for each cluster.

  • Manually specifying names isn’t supported in Manage > Defenders > Manage > DaemonSet. This page lets you deploy and manage DaemonSets directly from the Prisma Cloud UI. For this deployment flow, cluster names are retrieved from the cloud provider or the supplied kubeconfig only.

2. Create a cluster

Create an empty cluster named pc-ecs-cluster. Later, you will create launch configurations and auto-scaling groups to start EC2 instances in the cluster.

  1. Log into the AWS Management Console.

  2. Go to Services > Containers > Elastic Container Service.

  3. Click Create Cluster.

  4. Select Networking only, then click Next Step.

  5. Enter a cluster name, such as pc-ecs-cluster.

  6. Click Create.

3. Deploy Defender

Create worker nodes in your ECS cluster, create a task definition for the Prisma Cloud Defender, and then create a service of type Daemon to deploy Defender to every node in the cluster.

If you already have worker nodes in your cluster, skip directly to creating the Defender task definition.

3.1. Create a launch configuration for worker nodes

Create a launch configuration named pc-worker-node that:

  • Runs the Amazon ECS-Optimized Amazon Linux 2 AMI.

  • Uses the ecsInstanceRole IAM role.

  • Runs a user data script that joins the pc-ecs-cluster and runs the commands required to install Defender.

  1. Go to Services > Compute > EC2.

  2. In the left menu, click Auto Scaling > Launch Configurations.

  3. Click Create Launch Configuration

  4. In Name, enter a name for your launch configuration, such as pc-worker-node.

  5. In Amazon machine image, select Amazon ECS-Optimized Amazon Linux 2 AMI.

    You can get a complete list of per-region Amazon ECS-optimized AMIs from here.

  6. Choose an instance type, such as t2.medium.

  7. Under Additional configuration:

    1. In IAM instance profile, select ecsInstanceRole.

    2. Under User data, select Text, and paste the following code snippet:

      #!/bin/bash
      echo ECS_CLUSTER=pc-ecs-cluster >> /etc/ecs/ecs.config

      Where:

      • ECS_CLUSTER must match your cluster name. If you’ve named your cluster something other than pc_ecs_cluster, then modify your user data script accordingly.

    3. (Optional) In IP Address Type, select Assign a public IP address to every instance.

      With this option, you can easily SSH to this instance to troubleshoot issues.

  8. Under Security groups:

    1. Select Select an existing security group.

    2. Select pc-security-group.

  9. Under Key pair (login), select an existing key pair, or create a new key pair so that you can access your instances.

  10. Click Create launch configuration.

3.2. Create an auto scaling group for worker nodes

Launch two worker nodes into your cluster.

  1. Go to Services > Compute > EC2.

  2. In the left menu, click Auto Scaling > Auto Scaling Groups.

  3. Click Create an Auto Scaling group.

  4. In Choose launch template or configuration:

    1. In Auto Scaling group Name, enter pc-worker-autoscaling.

    2. In Launch template, click Switch to launch configuration.

    3. Select pc-worker-node.

    4. Click Next.

  5. Under Configure settings:

    1. In VPC, select your default VPC.

    2. In Subnet, select a public subnet, such as 172.31.0.0/20.

    3. Click Next.

  6. In Configure advanced options, accept the defaults, and click Next.

  7. In Configure group size and scaling policies:

    1. Set Desired capacity to 2.

    2. Leave Minimum capacity at 1.

    3. Set Maximum capacity to 2.

    4. Click Skip to review.

  8. Review the configuration and click Create Auto Scaling Group.

    After the auto scaling group spins up (it will take some time), validate that your cluster has three container instances.

    1. Go to Services > Containers > Elastic Container Service.

    2. The count for Container instances in your cluster should now be a total of two.

3.3. Create a Prisma Cloud Defender task definition

Generate a task definition for Defender in Prisma Cloud Console.

  1. Log into Prisma Cloud Compute Console.

  2. Go to Manage > Defenders > Deploy > Defenders.

  3. In Deployment method, select Orchestrator.

  4. For orchestrator type, select ECS.

  5. In Specify a cluster name, leave the field blank.

    Console will automatically retrieve the cluster name from AWS. Only enter a value if you want to override the cluster name assigned in AWS.

  6. In Specify ECS task name, leave the field blank.

    By default, the task name is pc-defender.

  7. Click Download to download the task definition.

  8. Log into AWS.

  9. Go to Services > Containers > Elastic Container Service.

  10. In the left menu, click Task Definitions.

  11. Click Create new Task Definition.

  12. In Step 1: Select launch type compatibility, select EC2, then click Next step.

  13. In Step 2: Configure task and container definitions, scroll to the bottom of the page and click Configure via JSON.

  14. Delete the contents of the window, and replace it with the Prisma Cloud Console task definition you just generated.

  15. Click Save.

  16. (Optional) Change the name of the task definition before creating it. The default name is pc-defender.

  17. Click Create.

3.4. Start the Prisma Cloud Defender service

Create the Defender service using the task definition. With Daemon scheduling, ECS schedules one Defender per node.

  1. Go to Services > Containers > Elastic Container Service.

  2. In the left menu, click Clusters.

  3. Click on your cluster.

  4. In the Services tab, click Create.

  5. In Step 1: Configure service:

    1. For Launch type, select EC2.

    2. For Task Definition, select pc-defender.

    3. In Service Name, enter pc-defender.

    4. In Service Type, select Daemon.

    5. Click Next Step.

  6. In Step 2: Configure network, accept the defaults, and click Next step.

  7. In Step 3: Set Auto Scaling, accept the defaults, and click Next step.

  8. In Step 4: Review, click Create Service.

  9. Click View Service.

  10. Verify that you have Defenders running on each node in your ECS cluster.

    1. Go to your Prisma Cloud Console and view the list of Defenders in Manage > Defenders > Manage. There should be two new Defenders that have been connected for a few minutes, one for each ECS instance in the cluster.