Benefits of AWS Fargate

As many of you know, I would like to look back on what AWS Fargate is and its benefits. It is described in detail on the AWS website, but I think the points are as follows.

• While enjoying the benefits of containers, there is no need to build a host OS or related middleware.
• Don't worry about EC2 instances
• Very easy to scale to meet demand

By using AWS Fargate, it is possible to concentrate on the application development that is originally required, and the fact that there is no need for special skill sets or experience in managing the infrastructure layer is the reason why many companies are adopting it.

What security can be implemented on AWS Fargate

Using AWS Fargate eliminates the need to consider various elements of the infrastructure layer, but it does not mean that you do not have to consider dealing with security risks at all. For example, since the container image running on AWS Fargate is created by the user, vulnerabilities and compliance violations may occur there. There is also the natural risk of external attacks against workloads running on AWS Fargate.

Therefore, Prisma Cloud mainly provides the following security functions for AWS Fargate.

• Vulnerability scanning of container images
  Scan Fargate tasks to automatically scan for vulnerabilities in your container images. This prevents containers from continuing to run with critical security vulnerabilities.

Image: Taken from https://www.paloaltonetworks.com/blog/prisma-cloud/securing-aws-fargate-tasks/

• Compliance scan
  You can perform compliance checks on your container images with predefined rule sets that are appropriate for your Fargate environment. This makes it possible to use an image that maintains compliance (for example, whether the container does not contain a private key, whether SSH login is possible, whether it contains malware, etc.). You can eliminate security risks.

Image: Taken from https://www.paloaltonetworks.com/blog/prisma-cloud/securing-aws-fargate-tasks/

• runtime protection
  Defender for Fargate, which is deployed in a sidecar method, monitors whether the container is operating as defined, and if it detects an operation that violates a policy, it is possible to notify and automatically take action. increase. In addition, the Web Application and API Security (WAAS) feature provided by Prisma Cloud inspects incoming traffic as a reverse proxy to containers running on Fargate and provides L7 level security according to the policies you set. Implementation is seamless. This makes it possible to protect the Fargate environment from web application security risks such as OWASP Top 10.

Image: Taken from https://www.paloaltonetworks.com/blog/prisma-cloud/securing-aws-fargate-tasks/

Configuration when implementing Prisma Cloud on AWS Fargate

To protect the Fargate environment, we use App-Embedded Defender, which is different from the normal Defender, but implemented in the Fargate task. (Tasks can be automatically generated on the Prisma Cloud console or via the API) The generated tasks include the Prisma Cloud sidecar container, which handles all interactions with the console, such as retrieving policies and sending audit results. It is a form of processing communication.

Image: Quoted from https://docs.paloaltonetworks.com/prisma/prisma-cloud/21-04/prisma-cloud-compute-edition-admin/install/install_defender/install_app_embedded_defender_fargate.html

Summary

By using Prisma Cloud, you can enjoy the many benefits of AWS Fargate while being protected from the security threats you need to deal with. If you are already using Fargate or are planning to use it and are interested in security measures, please contact us.