This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

  • 1:

    Serverless Agents


    The serverless environment: As cloud platforms have evolved, both the convenience and the abstraction levels have increased simultaneously and new agent models are required.

    For example, with Amazon’s ECS and EKS, users remain in charge of managing the underlying virtual host machines. In environments like Fargate, however, the hosts are implicitly allocated by the cloud provider and users simply run their containers without allocating, configuring, or having any knowledge of the underlying compute infrastructure.

    While this “container as a service” model is convenient, it can introduce risk, as many users leave the containers unattended and don’t monitor for security events inside them that can exfiltrate secrets, compromise business data, and increase their AWS/cloud provider costs. In addition, it is not possible to install a standard agent in an environment where you do not have access to a host.

    For these reasons, Sysdig has introduced a new “serverless agent” that can be deployed in such container-based cloud environments.

    Available Platforms

    1 -

    AWS Fargate Serverless Agents

    Check the Overview for an explanation of when and why to use serverless agents in “container-as-a-service” cloud environments.


    The Sysdig serverless agent provides runtime detection through policy enforcement with Falco. At this time, the serverless agent is available for AWS Fargate on ECS. It is comprised of an orchestrator agent and (potentially multiple) workload agents.

    • The Sysdig serverless orchestrator agent is a collection point installed on each VPC to collect data from the serverless workload agent(s) and to forward them to the Sysdig backend. It also syncs the Falco runtime policies and rules to the workload agent(s) from the Sysdig backend.

    • The Sysdig serverless workload agent is installed in each task and requires network access to communicate with the orchestrator agent.

    Installation: For Fargate ECS

    For Fargate ECS, the two components of the serverless agent are installed separately.

    • For the orchestrator agent, Sysdig provides a yaml to use as a CloudFormation Template which you can deploy through the AWS Console. You need one orchestrator deployment per VPC in your environment which your organization wants to secure.

    • For the workload agents, you need one workload agent per Fargate task definition. (If you have ten services and ten task definitions, each needs to be instrumented.)

      We assume your services use an existing CFT and you will install the workload agent using an automated process which will instrument all the task definitions in your CFT.


    On the AWS side:

    • AWS CLI configured and permissions to create and use an S3 bucket.

    • Permissions to upload images to repos, deploy CloudFormation Templates (CFTs), and create task definitions for Fargate

    • The Fargate tasks you want to instrument with the Sysdig serverless agent

    • Two subnets that can connect with the internet. (Your service on Fargate must reach the orchestrator agent, and the orchestrator agent must reach the internet to communicate with Sysdig’s back end.)

    • A NAT gateway, or, if AWS Internet Gateway is used, you will need to uncomment the line AssignPublicIp: ENABLED in the orchestrator.yaml after installing the orchestrator agent.

    On the Sysdig side:

    Install the Orchestrator Agent

    1. Obtain the Sysdig Orchestrator Agent yaml to be used as the CloudFormation Template source.

      For more information on CloudFormation (CFN), see AWS documentation.

    2. Deploy the orchestrator agent for each desired VPC, using CloudFormation.

      The steps below are an outline of the important Sysdig-related parts.

      1. Log in to the AWS Console. Select CloudFormation and Create Stack with new resources and specify the orchestrator-agent.yaml as the Template source.

      2. Specify the stack details to deploy the orchestrator agent on the same VPC where your service is running.

        Stack name: self-defined

        Sysdig Settings

        • Sysdig Access Key: Use the agent key for your Sysdig platform.

        • Sysdig Collector Host: (default); region-dependent in Sysdig SaaS; custom in Sysdig on-prem.

        • Sysdig Collector Port: 6443 (default), or could be custom for on-prem installations.

        Network Settings

        • VPC Id Choose your VPC.

        • Subnet A & B: These depend on the VPC you choose; select from the drop-down menu

        Advanced Settings

        • Sysdig Agent Tags: Enter a comma-separated list of tags (eg. role:webserver,location:europe)Note: tags will also be created automatically from your infrastructure’s metadata, including AWS, Docker, etc.

        • Sysdig Orchestrator Agent Image:

          quay-io/orchestrator-agent:latest (default)

        • Check Collector SSL Certificate: Default: true. False means no validation will be done on the SSL certificate received from the collector, used for dev purposes only.

      3. Click Next, complete the stack creation, and wait for the deployment to complete (usually less than 10 minutes.)

      4. In Output, take note of the OrchestratorHost and OrchestratorPort values.

    If AWS Internet Gateway is used (as opposed to a NAT Gateway), uncomment the line AssignPublicIp: ENABLED in the orchestrator.yaml .

    Install the Workload Agents

    Automated Process

    1. Prerequisite: Have the orchestrator agent deployed in the appropriate VPC and have the Orchestrator Host and Port information handy.

    2. Download the appropriate installer for your OS.

      These set up Kilt, an open-source library mechanism for injection into Fargate containers.

    3. Create a macro for the serverless worker agents, using the installer. Any service tagged with this macro will have the serverless worker agent(s) added and Fargate data will be collected.

      1. Log in to AWS CLI.

      2. Create a CFN macro that applies instrumentation. You will need the outputs from previous task. Example: 

        ./installer-linux-amd64 cfn-macro install -r us-east-1 MySysdigMacro $OrchestratorHost $OrchestratorPort
    4. Add the macro you created to the CFT that you use for your own service at the root.

      Use: Transform: MySysdigMacro.

      All new deployments of that template will be instrumented.

      Defining Entrypoint and Command in CFT:

      In this step, the macro will go over the original CloudFormation Template looking for ContainerDefinitions to instrument. This includes replacing the original entry point for the Sysdig entry point, so ideally the CFT should explicitly describe Entrypoint  and Command. Otherwise, the macro will try to pull the image to retrieve a default Entrypoint and Command , which only works if the image is publicly available. Otherwise the pull will fail and the instrumentation will not be completed.

    5. Complete!

      When instrumentation is complete, Fargate events should be visible in the Sysdig Secure Events feed.

    Upgrade: For Fargate ECS

    To upgrade the serverless agents, you install a second version of both components then kill all the running tasks and restart with the new version. You then delete and clean up the old CloudFormation and Kilt residuals.

    1. Obtain the Sysdig Orchestrator Agent yaml to be used as the CloudFormation Template source.

      At this time, the yaml metadata does not specify the agent version, but this link always downloads the latest file.

    2. Perform the steps to Install the Orchestrator Agent.

      Note that in step 2.4, the OrchestratorHost and OrchestratorPort values will be unique.

    3. Perform the steps to Install the Workload Agents.

      In step 4, assign a unique name to your macro (Transform: MyV2SysdigMacro).

      You now have two versions of the serverless agent components. When you are ready to switch from the earlier version, proceed with the next step.

    4. Stop all running tasks and use CloudFormataion to delete the earlier stack. Redeploy the new stack with the updated CFT. (Transform: MyV2SysdigMacro)

    5. Clean up macros: Delete the previous kilt macro using the installer:

      ./installer-linux-amd64 cfn-macro delete MySysdigMacro