How to Run Automatic Security Deployments for ECS Clusters in Twistlock

Mar 29, 2017by Kevin Lewis share:
We’ve heard many of our customers asking for auto deployments of Twistlock’s Defender to ECS clusters and we’re here to help with this step-by-step guide to setting up automatic security deployments.

First, some basic info…

What is an Amazon ECS cluster?

An Amazon EC2 Container Service (Amazon ECS) cluster is a logical grouping of container instances where you can run tasks. Tasks are runtime container definitions that ECS uses to run, scale and balance the containers you are running across the cluster. When you first use Amazon ECS you will need to create a new cluster, and you should create multiple clusters in an account to keep your resources separate.

Why would I want to automate deployments to ECS clusters? What’s the benefit?

When you use Amazon ECS you don’t always manage the underlying instances yourself. Typically you use Auto Scaling groups to provision and deprovision instances as needed. When new instances join the cluster you want to make sure they have the Defender installed before running tasks to ensure full runtime, compliance and vulnerability protection for all EC2 instances that make up the cluster.

Okay, so how can I set up Automatic Security Deployments for ECS Clusters in Twistlock?

1. ) Create a new empty cluster

Navigate to Services > EC2 Container Services
ECS Clusters in Twistlock

Click Create Cluster
Type a name for your cluster (For Example: twistlock-protected)
Tick the Create empty cluster checkbox
Finally, create your cluster by clicking the Create button in the bottom left
ECS clusters in Twistlock=

2.) Create a new launch configuration that has user data to run our script:

ECS clusters in Twistlock

Navigate to EC2 -> Auto Scaling -> Launch Configurations
Create a new launch configuration
Choose the AMI and Instance Type
Under Configure Details expand out the Advanced Details Section
Add the following to the User Data section
Note:

Replace {CLUSTER_NAME} with the name of your cluster. We used twistlock-protected in the example above.

Replace {USERNAME}:{PASSWORD} with valid Twistlock credentials for your console

Replace {CONSOLE_HOST} with your console hostname or IP

Replace {CONSOLE_PORT} with the port your web console is listening on (by default 8083)

#!/bin/bash

echo ECS_CLUSTER={CLUSTER_NAME}>> /etc/ecs/ecs.config

curl -k -u {USERNAME}:{PASSWORD} https://{CONSOLE_HOST}:{CONSOLE_PORT}/api/v1/scripts/defender.sh -o defender.sh

chmod a+x ./defender.sh

./defender.sh

3.) Create a new auto scaling group to launch instances into the cluster

Navigate to EC2 > Auto Scaling > Auto Scaling Groups

Click Create Auto Scaling Group
Select Create an Auto Scaling group from existing launch configuration

Give your group a name, network and subnet
Set the group size to the number of instances you would like in your cluster. The default is 1
Click Next
Select Keep this group at its initial size
Note: You can use the second option to automatically scale your group based on Cloud Watch alerts. For more information on how to do this please consult the AWS documentation.

Click Review
Click Create Auto Scaling Group
And there you have it! You should see at least one EC2 instance running that has joined your cluster. You’ve completed the setup process, and can enjoy the fruits of an auto deployed Twistlock Defender in your ECS clusters.

Want more tips like this? Subscribe to our newsletter for more regular updates on container security news and tips, or contact us for a demo today.

Leave a Reply

Your email address will not be published. Required fields are marked *