AWS ECS (EC2 Provider)
Deployed as a daemon service using a task definition
In AWS ECS, the ThreatStryker sensors are deployed as a daemon service using task definition.
Prerequisites
Make sure you have the following information:
- Quay login, later referred as <QUAY_LOGIN>
- Quay password, later referred as <QUAY_PASSWORD>
- Management console URL/IP, later referred as <MGMT_CONSOLE_URL>
- Deepfence API key, later referred as <DEEPFENCE_KEY>(This key can be found from the management console, in the settings > User > API Key)
Installing on AWS ECS (EC2 Provider)
- Add secret for quay login
- Go to the secret manager dashboard from the AWS Console
- Select "Store a new secret"
- Select "Other type of secret"
- Select "Plaintext" and paste the following:
{
 "username" : "<QUAY_LOGIN>",
 "password" : "<QUAY_PASSWORD>"
 }
 
Create the secret and store the ARN. We will refer to it as <ARN_QUAY_CREDS>
- Add secret for Deepfence API key
- Go to the secret manager dashboard from the AWS Console
- Select "Store a new secret"
- Select "Other type of secret"
- Select "Plaintext" and paste the following:
{
 "deepfence_api_key" : "<DEEPFENCE_KEY>"
 }
 
Create the secret and store the ARN. We will refer to it as <API_KEY_SECRET_ARN>
Be careful with the double quotes, sometimes the AWS UI transforms them into a special character that is not recognized as valid JSON.
- Create a new role (e.g.: deepfence-agent-role)- Go to the IAM dashboard from AWS Console
- Go to Access management > roles
- Select "Create Role",
- Select "Custom trust policy"
- Paste the following:
{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Principal": {
 "Service": "ecs-tasks.amazonaws.com"
 },
 "Action": "sts:AssumeRole"
 }
 ]
 }
 
Then continue:
- 
Search in the "Permissions policies" for "Task" > Select the following policy: AmazonECSTaskExecutionRolePolicy
- 
Click "Next", name the role deepfence-agent-role, then "Create role"
- 
Store the Role ARN. We will refer to it as <AGENT_TASK_ROLE_ARN>
- 
Search for your newly created role 
- 
Click on it ( deepfence-agent-rolein our example)
- 
Select "Add permissions" > "Create inline policy" and add: {
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "secretsmanager:GetSecretValue"
 ],
 "Resource": [
 "<ARN_QUAY_CREDS>",
 "<API_KEY_SECRET_ARN>"
 ]
 }
 ]
 }
- 
If you are using a custom KMS key for your secrets and not using the default key, you will also need to add the KMS key permissions to your inline policy: {
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "kms:Decrypt",
 "secretsmanager:GetSecretValue"
 ],
 "Resource": [
 "<ARN_QUAY_CREDS>",
 "<API_KEY_SECRET_ARN>",
 "<custom_kms_key_arn>"
 ]
 }
 ]
 }
Then create the new policy.
- 
Create new task definition for deepfence agent - Go to the "Elastic Container Service" dashboard from AWS console
- In the top left corner, disable new UI to use the legacy UI.
- Go to "Task Definitions"
- Select "Create new Task Definition"
- Select EC2, then "Next step"
- At the bottom, select "Configure via JSON"
- Copy and paste the following JSON configuration: (Replace <DEEPFENCE_KEY>,<MGMT_CONSOLE_URL>,<ARN_QUAY_CREDS>,<API_KEY_SECRET_ARN>and<AGENT_TASK_ROLE_ARN>with actual values)
 infoImage tags quay.io/deepfenceio/deepfence_agent:2.2.1-multiarchandquay.io/deepfenceio/deepfence_cluster_agent:2.2.1-multiarchare supported in amd64 and arm64/v8 architectures.{
 "ipcMode": null,
 "containerDefinitions": [
 {
 "dnsSearchDomains": [],
 "environmentFiles": null,
 "logConfiguration": null,
 "entryPoint": [],
 "portMappings": [],
 "command": [],
 "linuxParameters": null,
 "cpu": 0,
 "environment": [
 {
 "name": "DF_DISABLE_FILE_MON",
 "value": "Y"
 },
 {
 "name": "DF_DISABLE_PROC_MON",
 "value": "Y"
 },
 {
 "name": "DF_TRAFFIC_ANALYSIS_ON",
 "value": "Y"
 },
 {
 "name": "DF_LOG_LEVEL",
 "value": "info"
 },
 {
 "name": "MGMT_CONSOLE_URL",
 "value": "<MGMT_CONSOLE_URL>"
 },
 {
 "name": "USER_DEFINED_TAGS",
 "value": ""
 }
 ],
 "resourceRequirements": null,
 "ulimits": null,
 "repositoryCredentials": {
 "credentialsParameter": "<ARN_QUAY_CREDS>"
 },
 "dnsServers": [],
 "mountPoints": [
 {
 "readOnly": true,
 "containerPath": "/fenced/mnt/host",
 "sourceVolume": "Host"
 },
 {
 "readOnly": false,
 "containerPath": "/sys/kernel/debug",
 "sourceVolume": "SysKernelDebug"
 },
 {
 "readOnly": false,
 "containerPath": "/sys/fs/bpf",
 "sourceVolume": "SysFsBpf"
 },
 {
 "readOnly": false,
 "containerPath": "/var/run/docker.sock",
 "sourceVolume": "DockerSock"
 },
 {
 "readOnly": false,
 "containerPath": "/var/log/fenced",
 "sourceVolume": "VarLogFenced"
 }
 ],
 "workingDirectory": null,
 "secrets": [
 {
 "name": "DEEPFENCE_KEY",
 "valueFrom": "<API_KEY_SECRET_ARN>:deepfence_api_key::"
 }
 ],
 "dockerSecurityOptions": [],
 "memory": null,
 "memoryReservation": null,
 "volumesFrom": [],
 "stopTimeout": null,
 "image": "quay.io/deepfenceio/deepfence_agent:2.2.1",
 "startTimeout": null,
 "firelensConfiguration": null,
 "dependsOn": null,
 "disableNetworking": null,
 "interactive": null,
 "healthCheck": null,
 "essential": true,
 "links": [],
 "hostname": null,
 "extraHosts": null,
 "pseudoTerminal": null,
 "user": null,
 "readonlyRootFilesystem": null,
 "dockerLabels": {},
 "systemControls": [],
 "privileged": true,
 "name": "deepfence"
 }
 ],
 "placementConstraints": [],
 "executionRoleArn": "<AGENT_TASK_ROLE_ARN>",
 "taskRoleArn": "<AGENT_TASK_ROLE_ARN>",
 "memory": "2048",
 "family": "deepfence-agent-ec2-task",
 "pidMode": null,
 "requiresCompatibilities": [
 "EC2"
 ],
 "networkMode": "host",
 "runtimePlatform": {
 "operatingSystemFamily": "LINUX",
 "cpuArchitecture": "X86_64"
 },
 "cpu": "512",
 "inferenceAccelerators": null,
 "proxyConfiguration": null,
 "volumes": [
 {
 "fsxWindowsFileServerVolumeConfiguration": null,
 "efsVolumeConfiguration": null,
 "name": "SysKernelDebug",
 "host": {
 "sourcePath": "/sys/kernel/debug"
 },
 "dockerVolumeConfiguration": null
 },
 {
 "fsxWindowsFileServerVolumeConfiguration": null,
 "efsVolumeConfiguration": null,
 "name": "SysFsBpf",
 "host": {
 "sourcePath": "/sys/fs/bpf"
 },
 "dockerVolumeConfiguration": null
 },
 {
 "fsxWindowsFileServerVolumeConfiguration": null,
 "efsVolumeConfiguration": null,
 "name": "DockerSock",
 "host": {
 "sourcePath": "/var/run/docker.sock"
 },
 "dockerVolumeConfiguration": null
 },
 {
 "fsxWindowsFileServerVolumeConfiguration": null,
 "efsVolumeConfiguration": null,
 "name": "VarLogFenced",
 "host": {
 "sourcePath": null
 },
 "dockerVolumeConfiguration": null
 },
 {
 "fsxWindowsFileServerVolumeConfiguration": null,
 "efsVolumeConfiguration": null,
 "name": "Host",
 "host": {
 "sourcePath": "/"
 },
 "dockerVolumeConfiguration": null
 }
 ]
 }- Select the container "deepfence" and select Auto-configure CloudWatch LogsforLog configuration
- Then create the new task definition.
 
- 
Create a new service to execute the Task and deploy the agent - Go to the "Elastic Container Service" dashboard from the AWS console
- Go to "Task definitions"
- Select previously created task definition
- Select "Actions" > "Create service"
- Select Launch type: EC2
- Choose the ECS cluster to deploy
- Provide a name to your service (e.g. deepfence-agent-ec2-service)
- Set Service TypeasDAEMON
- Create the service
 
- 
Monitor the service creation and check if the task is in running state. It can take a couple of minutes 
- 
If the task is running, you should see the agent appearing in your console, well done!