1. Overview

AWS Fargate is a serverless compute engine for containers under Amazon ECS that lets you run containers without needing to provision and manage servers and hosts. Each container is defined as part of a task and several containers can be run as part of the same task.

Prisma Cloud can scan your Fargate tasks for image vulnerabilities. To see the scan report for your Fargate task images, go to Monitor > Vulnerabilities > Images and filter the table with Fargate:Select.

Prisma Cloud Compute labels all containers running within the same task as if they run on the same host. For containers that are running in Fargate, the Host column will contain the Fargate task identifier.

2. Create vulnerability rules to scan Fargate tasks

Create a vulnerability rule for Fargate tasks in scope.

  1. Login to the Console.

  2. Go to Defend > Vulnerabilities > Images > Deployed.

  3. Click Add rule.

  4. Entar a rule name.

  5. Click on Scope, to select a relevant collection, or create a new one for your Fatgate tasks:

    1. Click Add collection.

    2. Enter collection name.

    3. In the host you can type the name of the required Fargate task name or postfix wildcards.

      For example fargate, fargate-vulnerability-compliance-task.

    4. Click Save.

    5. Select the new fargate task collection.

    6. Click Select collection.

  6. Click Save.

    Block action doesn’t apply to Fargate tasks.
    fargate collection image

3. Deploy Fargate task

Deploy the fargate-vulnerability-compliance-task fargate tesk (described below), following the steps in Embed App-Embedded Defender into Fargate tasks.

3.1. Example Fargate task

You can use the following task definition to test Prisma Cloud’s Fargate Defender. The task deploys a ubuntu:18.04 container and runs the /bin/sh -c 'cp /bin/sleep /tmp/xmrig command that triggers the "Image contains binaries used for crypto mining" compliance check.

{
  "containerDefinitions": [
     {
        "command": [
           "/bin/sh -c 'cp /bin/sleep /tmp/xmrig && echo \"[+] Sleeping...\" && while true; do sleep 1000 ; done'"
        ],
        "entryPoint": [
           "sh",
           "-c"
        ],
        "essential": true,
        "image": "ubuntu:18.04",
        "logConfiguration": {
           "logDriver": "awslogs",
           "options": {
              "awslogs-group" : "/ecs/fargate-task-definition",
              "awslogs-region": "us-east-1",
              "awslogs-stream-prefix": "ecs"
           }
        },
        "name": "Fargate-vul-comp-test",
        "portMappings": [
           {
              "containerPort": 80,
              "hostPort": 80,
              "protocol": "tcp"
           }
        ]
     }
  ],
  "cpu": "256",
  "executionRoleArn": "arn:aws:iam::012345678910:role/ecsTaskExecutionRole",
  "family": "fargate-vulnerability-compliance-task",
  "memory": "512",
  "networkMode": "awsvpc",
  "requiresCompatibilities": [
      "FARGATE"
   ]
}

4. View vulnerability scan results

View the scan results in Console.

If a Fargate task is run with a container where the user is not root, the vulnerability and compliance scanning procedure will encounter permission denied errors that are not visible to the user unless the Defender logs are downloaded. The scan flow continues even though errors are encountered.
  1. Navigate to Monitor > Vulnerabilities > Images > Deployed and validate that the deployed image appears and contains vulnerabilities.

  2. To see all images that are related to Fargate tasks, filter the image table by adding the Fargate:Select filter. You can also filter the results by a specific task name or postfix wildcards, example: fargate-task OR fargate-task*. Use the Hosts: filter to filter the table specifically by hosts.

    fargate select filter vul
  3. Search for the fargate-vulnerability-compliance-task Fargate task.

  4. Click on the image to view image details.

    1. The associated vulnerabilities will appear under the Vulnerabilities tab

    2. Under the Compliance tab, see the following compliance issue: Image contains binaries used for crypto mining

    3. See the related Fargate tasks under the Environment > Fargate Tasks tab

      the Host column represents the number of hosts and Fargate tasks that this image is associated with.
      Runtime, Layers, Processes info and Labels tabs are not supported for images scanning by Fargate defenders.
      fargate image scan result