Runtime Threat Mapping for AWS Fargate Serverless Deployments Using Deepfence

Deepfence Enterprise already provides support for protecting your workloads running on serverless platforms like AWS Fargate. We now announce the same enterprise quality support for serverless deployments in our community edition, ThreatMapper. Using ThreatMapper, you can now seamlessly secure your serverless deployments just like you monitor and secure your normal VMs.

In a previous article, we described the technical challenges in monitoring and securing AWS Fargate deployments. In this article, we will explain how to deploy ThreatMapper on your Fargate instances and monitor them like your other cloud workloads.

Before we dive in, you may be wondering … what is Deepfence ThreatMapper? Deepfence ThreatMapper enables you to visualize and scan an unlimited number of hosts, containers, and pods at runtime, as well as container images out of container registries, as part of CI/CD pipelines. In addition to this post about installing Deepfence ThreatMapper on AWS Fargate, you can also learn how to install Deepfence ThreatMapper on Amazon ECS, Azure AKS, and Google GKE, and how to use it to scan hosts and containers for vulnerabilities.

Getting Started

Deepfence installation consists of two components — the Deepfence Management Console, which is installed outside of the cluster being threat mapped, and super lightweight Deepfence sensors, which are deployed as a sidecar or daemon service depending upon the mode of deployment. For AWS Fargate, the Deepfence sensors are deployed as a sidecar container using a task definition.

Deepfence Threatmapper also supports Bottlerocket OS on Amazon ECS and EKS. Lightweight Bottlerocket OS with its reduced attack surface provides the perfect foundation for Deepfence to build our attack detection engine and ensure security and availability of your mission critical applications.

Installing Deepfence Management Console

We will briefly mention the steps for a single node installation of the Deepfence Management Console below:

1. Spin up a Linux VM instance with at least 4 CPU cores, 16GB RAM, and 120GB disk space. This configuration can support up to 250 nodes depending upon load. For larger clusters, you will need to upgrade the console as mentioned in Pre-requisites.

2. Download the docker compose file from here.

3. Run docker-compose as follows:
docker-compose -f docker-compose.yml up -d

Give it a few seconds and you are ready to register your product installation as described here.

Installing the Deepfence Sensor on AWS Fargate

1. Setup Amazon ECS by following the steps outlined here.

2. Give IAM permissions for ECS task execution role to access the required secrets as outlined here and here in detail, if needed. You may need to attach the AmazonECSTaskExecutionRolePolicy (and other policies allowing access to your stored secrets) to the IAM role to run Amazon ECS tasks.

3. On the AWS ECS home webpage, click on the task definition on the side panel to create a new standard task definition and select Fargate as the launch type and then go to Next step. You can configure the task definition either through JSON or using the AWS UI.

4. Edit Task Definition Name, Task Role, and Task Execution Role etc. as desired. Specify Task memory and Task CPU according to your requirements.

5. Click on the Add Container button to create a standard container for the Deepfence sensor. Set image as docker.io/deepfenceio/deepfence_agent_ce:fargate, in the environment section do NOT mark it as essential. You need to note down the name of the sensor’s container (FargateCommunityAgentSidecarScratch in our example), which you will have to specify in the Volumes From section in the application container task definition section later. Finally, click the Add button to create the Deepfence sensor container.

6. Click on the Add Container button to create a new container for your application by following the additional steps outlined below. If you have more than one application container, you will have to repeat these steps for each container.

6a. Setup the environment variables in the application task definitions as shown in the image below. DEEPFENCE_KEY (API key available on the settings →User Management tab on management console UI), DF_BACKEND_IP (IP address of Management Console), and DF_SERVERLESS (should be true for serverless instances) are required environmental variables for ThreatMapper. You will have to copy the appropriate API key and IP address.

If you are using JSON to configure your task definitions, you can use the following part in the appropriate container section of the task definition JSON after copying the appropriate IP address and API Key.

"environment": [
               {
                   "name": "DEEPFENCE_KEY",
                   "value": "XXXXXXXXX"
               },
               {
                   "name": "DF_BACKEND_IP",
                   "value": "0.0.0.0"
               },
               {
                   "name": "DF_SERVERLESS",
                   "value": "true"
               },
               {
                   "name": "SCOPE_HOSTNAME",
                   "value": "fargate-community"
               },
               {
                   "name": "USER_DEFINED_TAGS",
                   "value": ""
               }
           ],

6b. In the application container, update storage to allow read/write from the Deepfence sensor volume by specifying the sensor container name (created in step 5) in volumes from. Leave the Read only button unchecked as shown below.

If you are using JSON to configure your task definitions, you can copy the following settings to the appropriate container section of the JSON after changing the container name.

"volumesFrom": [
               {
                   "sourceContainer": "FargateCommunityAgentSidecarScratch",
                   "readOnly": false
               }
           ],

Finally, click the Create button to create the task definition for the deployment.

7. Now that the Deepfence sensor is available in the Fargate instance, you just need to invoke the sensor and application entry points to start the application with ThreatMapper enabled. This can be done in two ways. The first approach requires that you can change the application container image. Before building your application containers for deployment, add a call to start the ThreatMapper entry point at the beginning of the application entry point (or at any point before starting your application) as shown in the following example script. Note that the AWS Fargate instance will stop if any of the essential containers exit, so the user application has to be written accordingly.

#!/bin/bash -x
echo "Start Deepfence services... Console is $DF_BACKEND_IP"
/deepfence/usr/local/bin/deepfence-entry-point-scratch
############################################################
# Start the customer application entry point below...
############################################################
echo "Starting the customer application entry point below..."
#cust-entry-point.sh "$@"
echo "Block to avoid customer application container from exiting fargate."
/deepfence/usr/local/bin/block-scratch.sh
echo "customer entry-point is exiting...."

The second approach does not require any change in the application container. So, you can run the same image seamlessly on a VM, EC2 instance, or a Fargate instance. For this, you need to provide the Deepfence entry point with the application entry point and their arguments as a comma-delimited list in the Entry point field. Alternatively, you can provide the Deepfence entry point in the Entry point field and the application entry point along with their arguments in the Command field as shown below.

"entryPoint": [
               "/deepfence/usr/local/bin/deepfence-entry-point-scratch",
               "customer-entry-point.sh.sh",
               "param1",
               "param2"
           ],
--------------------------------------------------------------------
--------------------------------------------------------------------
"entryPoint": [
               "/deepfence/usr/local/bin/deepfence-entry-point-scratch"
           ],
           "command": [
               "customer-entry-point.sh.sh",
               "param1",
               "param2"
           ],

8. After creating your updated application containers and the task definitions, you can launch your AWS Fargate instance by clicking Run task in the actions dropdown of the task definition. Select Fargate as the launch type and choose the appropriate number of tasks, VPC, and security groups before launching the task. Fargate sensors should be able to access ports 8000–8010 on the console, so users need to make sure that security groups allow these outbound connections.

After a few minutes, the Fargate instance should show up on the UI.

Visualization and Scanning AWS Fargate Deployments for Vulnerabilities

You can visualize your Fargate instances from the topology tab of the Deepfence ThreatMapper console UI as shown below.

You can click on individual nodes in the topology view and initiate vulnerability scanning on those nodes by clicking the Vulnerability Scan button after the vulnerability database is populated. It can take up to 30–60 minutes for vulnerability database download (you can check the download status of the vulnerability database on the notification panel).

You can also initiate vulnerability scanning of any number of Fargate instances by using our APIs. You can visualize the vulnerabilities found on each node and a ranked list of the most Exploitable Vulnerabilities across nodes by navigating to Vulnerabilities tab. Users can tag and scan a subset of nodes by using user defined tags.

If you encounter any issues, please file a ticket on our ThreatMapper GitHub issue tracker. Please do not hesitate to give any feedback for improvement or to request any additional features.

If you’d like to learn more about Deepfence ThreatMapper or Deepfence Enterprise, please contact us to schedule a demo.