ECS on Fargate

The Sysdig Serverless Agent provides runtime detection and policy enforcement for serverless workloads ECS Fargate. It uses Falco to ensure the security and compliance of the workloads.

The Serverless Agent helps you maintain security and compliance for your serverless workloads on ECS Fargate, reducing the risk of security incidents and compliance violations. By default, the Serverless Agent prioritizes workload availability over strict security enforcement, allowing tasks to start even if policies aren’t fully applied. You can adjust this behavior by setting the workload startup policy to prioritize security over availability.

Prerequisites

Before starting the installation, ensure that you have the following:

On AWS

  • A custom Terraform/CloudFormation template containing the Fargate task definitions that you want to instrument through the Serverless Agent
  • A VPC subnet that can connect with the Internet

On Sysdig

  • Sysdig Secure up and running

  • The endpoint of the Sysdig Collector for your region

  • From the Sysdig Secure UI, retrieve the Access Key to install the agent and push the data to the Sysdig platform

Limitations

Specifying the Entry Point and Command in the Container Definition

The Sysdig instrumentation service modifies the target workload’s task definition so that the original workload runs under Sysdig instrumentation. It pulls and analyzes the workload container image to retrieve its original entry point and command automatically.

However, in the following cases, Sysdig instrumentation cannot pull the workload image to retrieve this information. You must explicitly define EntryPoint and Command in the template’s container definitions when:

  • Your container image is hosted in a private registry.
  • Your container image name is not a plain string.

Next Steps

The Serverless Agent can be deployed in multiple ways to suit your needs and preferences.

You can choose automated deployment using Terraform or CloudFormation, or manually adjust your IaC configuration.

  • Automatic deployment via Terraform or CloudFormation (Recommended): You can automate the deployment of the Serverless Agent using Terraform or CloudFormation templates. This method simplifies the deployment process, ensures consistency across deployments, and simplifies ongoing maintenance.

    Install on ECS Fargate using Terraform

    Install on ECS Fargate using CloudFormation

  • Manual deployment: You can manually modify your IaC configuration to deploy the Serverless Agent. This method requires more effort and is prone to human error, but provides more flexibility and control over the deployment process.

    Install on ECS Fargate manually

With the recommended deployment method, you can quickly and easily instrument your Fargate workloads with the Serverless Agent, ensuring runtime detection and policy enforcement for improved security and compliance.