Introducing Container & Workload Security for AWS Fargate
April 22, 2021
AWS Fargate is a serverless compute engine that allows organizations to run containers at scale, without needing to worry about provisioning and managing servers. This allows them to focus on building applications, so it’s no wonder that Fargate runs on nearly 1/3 of all AWS container environments. However, much like other cloud services, AWS is responsible for security of the Fargate container infrastructure, but customers are responsible for what happens within their Fargate-based applications.
If you have already made the switch to Fargate, or are considering a move, Lacework can provide the visibility and threat detection you need.
Visibility and Security for your Fargate Attack Surface
Lacework has just announced continuous security observability and threat detection for AWS Fargate Containers. Native support for AWS Fargate means that developers can now use AWS Fargate containers with confidence, and teams can apply Lacework container security to an even broader array of container services.
Lacework delivers native Fargate security support, reducing the attack surface, and detecting threats in a containerized environment. Our cloud container security monitoring platform automatically discovers every Fargate container across your environment and clusters them based on different behaviors. We then visualize your applications in real-time, providing a clear understanding of communications, launches, and other cloud runtime behaviors. This allows you to:
- Monitor hosts, containers on hosts, containers on Kubernetes, and containers as a service – on the same platform with a single pane of glass
- Understand which Fargate containers are running, applications running within them, and relationships of those applications to other applications and services
- Eliminate the need to write cumbersome rules to detect threats to your Fargate containers
- Recognize which container vulnerabilities actually leave you vulnerable
- Deploy with flexible deployment models that meet your environment’s needs – either in the container or as a sidecar
Helping Customers Accelerate Fargate Usage with Confidence
Lacework has been offering Fargate support through our early access program for several months now. Dozens of Lacework customers have already experienced new exceptional levels of visibility and security in their Fargate containers.
For more information about the other AWS-related capabilities that Lacework recently announced, visit the blog “Lacework Expands Security, Visibility, and Automation Across AWS Environments”.
Following is a transcript of the embedded video “Securing Your Containers Running on Fargate with Lacework”
At Lacework, we support AWS ECS Fargate. As you likely know, Fargate is a serverless offering from AWS, that allows users to run containers without the need to own or manage any compute infrastructure. It’s elastic compute capacity that runs at cloud scale.
In this demo, instead of showing the host, we will show the Fargate task definition. Though it’s listed as a host, this is actually the task definition. Fargate is really its own runtime platform. Our detections are going to be the same as if this was a host, a container, or Kubernetes
We will show the tasks as running containers. We will also see network and container level visibility. We’re baselining this container, so we have the command line arguments that are passed in processes that are running in these containers. All the network process visibility and user-level visibility into these containers are there.
With this in mind, we will just show the host that has that particular Fargate task. So for this event, we’re actually showing that this is a malicious event. It’s a bad external server host connection. It’s a connection to a known bad external IP, which is connecting via TCP IP to this Fargate. And it’s not just the one, it’s about 30 in total.
From here our dossier tells you the why, who, what, when, and where of this event. It shows you all of the information that you would need to know to understand what you need to do to track this event. We’re also going to provide a Polygraph that lets you know where the traffic becomes malicious. In this case, we can see from this Docker container, it’s going to this malicious website.
Of course, we’re going to provide some Whois record data, as well as further evidentiary information within our cards. In this case, we are looking at the TCP external server connections detail cards, and we can see here, where the traffic is actually flagged as malicious, and as we scroll down we can see where it is not. You can also tell that there was a big traffic increase in that malicious content.
So this is how we handle Fargate, and we’re going to provide a lot of great contextual information as we do throughout the entire Lacework platform. If you need further information, please check out support lacework.com.