Carbon Black Container - ECS Agent


Overview

Run the Carbon Black Containerized Sensor Agent on your ECS cluster to enable Endpoint Detection and Container Scanning security features.

Use Cases

  • Detect and enforce EDR capabilities with containers context on your ECS cluster.
  • Detect vulnerabilities, malware and secrets on deployed containers in your ECS cluster.

Requirements

  • ECS Cluster
  • Carbon Black Cloud Container
  • API key with appropriate permissions. See Authentication for details.

Installation

To install the agent, you need to:

  • Register the agent task definition.
  • Run the agent task definition as ECS Service.

ECS Task Definition


  1. Register the agent task definition, and fill it with the relevant environment configuration from the setup wizard.

The task definition cbcontainers-daemon.json:

{
  "family": "cbcontainers-daemon",
  "pidMode": "host",
  "networkMode": "bridge",
  "executionRoleArn": "<arn role with ec2 deployment permissions>",
  "containerDefinitions": [
    {
      "name": "cb-containers-sensor",
      "image": "docker.io/cbartifactory/cb-containers-sensor:<sensor-version>",
      "cpu": 512,
      "memory": 1024,
      "privileged": true,
      "environment": [
        // fill environment variables list here
      ],
      "mountPoints": [
        {
          "sourceVolume": "dockersock",
          "containerPath": "/var/run/docker.sock"
        },
        {
          "sourceVolume": "hostname",
          "containerPath": "/etc/hostname"
        },
        {
          "sourceVolume": "boot",
          "containerPath": "/boot"
        },
        {
          "sourceVolume": "cb-data-dir",
          "containerPath": "/var/opt/carbonblack"
        },
        {
          "sourceVolume": "os-release",
          "containerPath": "/etc/os-release"
        },
        {
          "sourceVolume": "root",
          "containerPath": "/var/opt/root"
        }
      ],
      "healthCheck": {
        "command": [
          "CMD-SHELL",
          "cat /tmp/ready || exit 1"
        ],
        "interval": 60,
        "timeout": 15,
        "retries": 3,
        "startPeriod": 60
      }
    }
  ],
  "volumes": [
    {
      "name": "dockersock",
      "host": {
        "sourcePath": "/var/run/docker.sock"
      }
    },
    {
      "name": "hostname",
      "host": {
        "sourcePath": "/etc/hostname"
      }
    },
    {
      "name": "boot",
      "host": {
        "sourcePath": "/boot"
      }
    },
    {
      "name": "cb-data-dir",
      "host": {
        "sourcePath": "/var/opt/carbonblack"
      }
    },
    {
      "name": "os-release",
      "host": {
        "sourcePath": "/etc/os-release"
      }
    },
    {
      "name": "root",
      "host": {
        "sourcePath": "/"
      }
    }
  ],
  "requiresCompatibilities": [
    "EC2"
  ]
}


2. After the task definition is filled, register it using the AWS ECS UI, or by using the aws CLI:

aws ecs register-task-definition --cli-input-json file://cbcontainers-daemon.json --region <region-to-apply-at>


3. To write the agent logs to AWS CloudWatch, add the logConfiguration section inside the container definition element in the task definition:

{
  "logConfiguration": {
    "logDriver": "awslogs",
    "options": {
      "awslogs-group": "cbcontainers-agent",
      "awslogs-region": "<region>",
      "awslogs-stream-prefix": "cbcontainers-agent"
    }
  }
}


4. For the logs to work:

  • Add the cbcontainers-agent to awslogs-group
  • Add the Actions logs:CreateLogStream and logs:PutLogEvents to the ECS Role Policy.

Run ECS Tasks As Services

To run the agent, create a service to run the task: cbcontainers-daemon-svc. Create the cbcontainers-daemon-svc service by running:

aws ecs create-service \
    --region <region-to-apply-at> \
    --cluster <your-cluster-name> \
    --service-name cbcontainers-daemon-svc \
    --launch-type EC2 \
    --task-definition cbcontainers-daemon \
    --scheduling-strategy DAEMON

ECS Role Policy


  • To run the agent as ECS task, the task definition needs a role with the following permissions to be set in executionRoleArn:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeTags",
        "ecs:CreateCluster",
        "ecs:DeregisterContainerInstance",
        "ecs:DiscoverPollEndpoint",
        "ecs:Poll",
        "ecs:RegisterContainerInstance",
        "ecs:StartTelemetrySession",
        "ecs:UpdateContainerInstancesState",
        "ecs:Submit*",
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage"
      ],
      "Resource": "*"
    }
  ]
}
  • To write the container logs to the AWS CloudWatch add the Actions logs:CreateLogStream and logs:PutLogEvents to the Actions list.
  • The policy needs permissions to pull images, run ECS tasks, and cloudwatch access to write the containers logs.
  • If you have an existing role for your ECS tasks, attach missing permissions from the policy example above.

Last modified on November 22, 2023