Docker Security Guide Blog Series [Part 3]
NOTE: This is the third part of a blog series.
Part 1: - Introduction to Docker, Security Best Practices and scans
Part 2: - Docker Vulnerability Scan Tools
Part 3: - QUALYS - Deploying sensor in AWS ECS Cluster
Overview
In Part 1 and Part 2 of this blog series, we have talked about Docker Technology, Docker Security best practices, and Docker Vulnerability Tools in detail. In Part 3, we will talk about how to deploy Qualys Container Sensor in AWS ECS Cluster. We will go through each step of deploying the sensor. After completing these steps, we will be able to see all details in the Qualys Container Security module.
Index
Part 1: Introduction to Docker, Security Best Practices and scans
- Docker Technology: An Overview
- Docker Security: A Tricky Way
- Docker Security Best Practices
- Docker-Vulnerability Scan (Docker Bench for Security, AWS ECR, Trivy Overview)
Part 2: Docker Vulnerability Scanning
- Docker Vulnerability Scan Overview & Importance
- Docker Vulnerability Scan Tools in Detail
- Docker Bench for Security
- Dive
- Inspec
- AWS ECR
- Trivy
Part 3: QUALYS - Deploying sensor in AWS ECS Cluster
- Login to the Qualys
- Download the QualysContainerSensor.tar.xz file
- Download the container sensor.
- Sensor package operations
- Push the Qualys sensor image to an AWS ECR repository.
- Modify the cssensor AWS ECS JSON file
- Import the JSON file
- Task execution IAM role configurations
- Select the AWS Cluster
- Select the task definition
- Create task definition
- Final Qualys Container Security module
Deploying sensor in AWS ECS Cluster
To start with, please prepare the CS connector in Qualys:
1. Login to the Qualys
Login to Qualys. Go to Container Security and select the Configurations tab.
2. Download the QualysContainerSensor.tar.xz
Download the QualysContainerSensor.tar.xz file from Qualys Cloud Portal on a computer. Download General (Host) .tar.xz file.
3. Download the container sensor
Download the container sensor. A tar file containing the sensor docker image and the install script will be downloaded. The sensor is pre-configured to connect to the Qualys Cloud Platform.
Prerequisites: AWS ECS Cluster should be up and running.
4. Sensor package operations
Untar the sensor package: tar -xvf QualysContainerSensor.tar.xz
5. Push the Qualys sensor image to an AWS ECR repository
Use the following commands to push the Qualys sensor image to an ECR repository:
5.1. Load image to the local docker
5.2. Go to the AWS account and create ECR Repository
5.3. Check connection to AWS ECR
For example:
aws ecr get-login-password --region us-east-1 --profile xxxxxxx | docker login --username xxxx - password-stdin
xxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com
5.4. Tag the image
If the connection is successful, in this step we need to tag the image. For example:
docker tag xxxxxxxxxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/xxxxxxx-qualys-registery:latest
5.5 Push the image to ECR
docker push xxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/xxxxxxxxx-qualys-registery:latest
Note: Do not use the examples as they are. Replace the registry/image path with your own.
6. Modifying the cssensor AWS ECS JSON file
6.1 Modify the cssensor-aws-ecs.json file
Modify the cssensor-aws-ecs.json file (extracted from QualysContainerSensor.tar.xz) to provide values for the following parameters. For the JSON file to work properly, ensure that you do not remove/comment on the respective sections mentioned below. Note that you can download the JSON file directly from here.
Activation ID and Customer ID are required. You can find your Activation ID and Customer ID in your Qualys subscription:
Modify with your Image information, ActivationID and CustomerID:
6.2 Replace the image attribute
image:
xxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/xxxxxxx-qualyssensor:latest
6.3 Specify appropriate values for cpu (no. of vcpu) and memory (size in MB)
6.4 Remove proxy settings from JSON file
You need to delete the foloowing parts:
a. Delete this part from environment:
name: qualys_https_proxy, value:
proxy.qualys.com:3128
b. Delete this part from mountPoints:
sourceVolume: proxy-cert-path,
containerPath: /etc/qualys/qpa/cert/custom-ca.crt
c. Delete this part from Volumes:
name: proxy-certpath, host: {
sourcePath: /root/cert/proxy-certificate.crt
}
7. Import the JSON file
7.1. Import the JSON file into Amazon ECS UI to complete the sensor deployment.
7.2. On the Amazon ECS UI, under Task Definitions, click Create New Task Definition.
7.3. Select the launch type compatibility as EC2 (Fargate is not supported).
7.4. Provide the Task Definition name, and then provide Task Role, Network Mode, and Task Execution Role if applicable:
8. Task execution IAM role configurations
8.1. Scroll to the bottom of the page and select Configure via JSON option.
8.2. Remove any existing content and then copy-paste the entire contents of the cssensor-aws-ecs.json file.
8.3. Click Create to create the Task Definition. Once created, it should get listed under Task Definitions.
8.4. Confirm if the task definition is created successfully
9. Select the AWS Cluster
Now go to Clusters and click the cluster name on which you want to deploy the sensor. Under the Services tab, click Create. Select the launch type as EC2.
10. Select the task definition
Select the Task Definition you created above and its revision, and then select a cluster. Provide the Service name, Service type as “DAEMON”, and then configure Network, Load Balancing, and Auto Scaling if applicable.
11. Create task definition
Review the provided information, and then click Create to create the Service. Once created, it should get listed under Services. Verify that the service status is Active. In the tasks tab, verify that tasks are running on all ECS containers.
12. Final Qualys Container Security module
Now, you will see all details in the Qualys Container Security module:
Conclusion
In Part 3, “QUALYS - Deploying sensor in AWS ECS Cluster”, of our blog series, we have talked about how to deploy your Qualys Container Sensor in AWS ECS Cluster. We have shown the steps with detailed screenshots for you to easily deploy your sensor. We hope you enjoyed our article.
Check out our Vulnerability Management and Cloud Security services to stay secure!