Carbon Black Container - ECS Agent
Overview
Run the Carbon Black Containerized Sensor Agent on your ECS cluster to enable Endpoint Detection and Container Scanning security features.
Use Cases
- Detect and enforce EDR capabilities with containers context on your ECS cluster.
- Detect vulnerabilities, malware and secrets on deployed containers in your ECS cluster.
Requirements
- ECS Cluster
- Carbon Black Cloud Container
- API key with appropriate permissions. See Authentication for details.
Installation
To install the agent, you need to:
- Register the agent task definition.
- Run the agent task definition as ECS Service.
ECS Task Definition
- Register the agent task definition, and fill it with the relevant environment configuration from the setup wizard.
The task definition cbcontainers-daemon.json
:
{
"family": "cbcontainers-daemon",
"pidMode": "host",
"networkMode": "bridge",
"executionRoleArn": "<arn role with ec2 deployment permissions>",
"containerDefinitions": [
{
"name": "cb-containers-sensor",
"image": "docker.io/cbartifactory/cb-containers-sensor:<sensor-version>",
"cpu": 512,
"memory": 1024,
"privileged": true,
"environment": [
// fill environment variables list here
],
"mountPoints": [
{
"sourceVolume": "dockersock",
"containerPath": "/var/run/docker.sock"
},
{
"sourceVolume": "hostname",
"containerPath": "/etc/hostname"
},
{
"sourceVolume": "boot",
"containerPath": "/boot"
},
{
"sourceVolume": "cb-data-dir",
"containerPath": "/var/opt/carbonblack"
},
{
"sourceVolume": "os-release",
"containerPath": "/etc/os-release"
},
{
"sourceVolume": "root",
"containerPath": "/var/opt/root"
}
],
"healthCheck": {
"command": [
"CMD-SHELL",
"cat /tmp/ready || exit 1"
],
"interval": 60,
"timeout": 15,
"retries": 3,
"startPeriod": 60
}
}
],
"volumes": [
{
"name": "dockersock",
"host": {
"sourcePath": "/var/run/docker.sock"
}
},
{
"name": "hostname",
"host": {
"sourcePath": "/etc/hostname"
}
},
{
"name": "boot",
"host": {
"sourcePath": "/boot"
}
},
{
"name": "cb-data-dir",
"host": {
"sourcePath": "/var/opt/carbonblack"
}
},
{
"name": "os-release",
"host": {
"sourcePath": "/etc/os-release"
}
},
{
"name": "root",
"host": {
"sourcePath": "/"
}
}
],
"requiresCompatibilities": [
"EC2"
]
}
2. After the task definition is filled, register it using the AWS ECS UI, or by using the aws
CLI:
aws ecs register-task-definition --cli-input-json file://cbcontainers-daemon.json --region <region-to-apply-at>
3. To write the agent logs to AWS CloudWatch, add the logConfiguration
section inside the container definition element in the task definition:
{
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "cbcontainers-agent",
"awslogs-region": "<region>",
"awslogs-stream-prefix": "cbcontainers-agent"
}
}
}
4. For the logs to work:
- Add the
cbcontainers-agent
toawslogs-group
- Add the Actions
logs:CreateLogStream
andlogs:PutLogEvents
to the ECS Role Policy.
Run ECS Tasks As Services
To run the agent, create a service to run the task: cbcontainers-daemon-svc
. Create the cbcontainers-daemon-svc
service by running:
aws ecs create-service \
--region <region-to-apply-at> \
--cluster <your-cluster-name> \
--service-name cbcontainers-daemon-svc \
--launch-type EC2 \
--task-definition cbcontainers-daemon \
--scheduling-strategy DAEMON
ECS Role Policy
- To run the agent as ECS task, the task definition needs a role with the following permissions to be set in
executionRoleArn
:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeTags",
"ecs:CreateCluster",
"ecs:DeregisterContainerInstance",
"ecs:DiscoverPollEndpoint",
"ecs:Poll",
"ecs:RegisterContainerInstance",
"ecs:StartTelemetrySession",
"ecs:UpdateContainerInstancesState",
"ecs:Submit*",
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Resource": "*"
}
]
}
- To write the container logs to the AWS CloudWatch add the Actions
logs:CreateLogStream
andlogs:PutLogEvents
to theActions
list. - The policy needs permissions to pull images, run ECS tasks, and cloudwatch access to write the containers logs.
- If you have an existing role for your ECS tasks, attach missing permissions from the policy example above.
Give Feedback
Use this form to give us feedback about this site or any of the documentation.
Last modified on November 22, 2023