Welcome to our three-part blog series where we discuss Docker Technology, Docker Security best practices, and Docker Vulnerability Tools. In Part 1 and Part 2, we explored these topics in detail. In Part 3, we will delve into how to deploy Qualys Container Sensor in AWS ECS Cluster.
By following this step-by-step guide, you will be able to deploy the sensor and gain access to all the details in the Qualys Container Security module.
So, sit tight and buckle up as we take you on a journey through the world of Docker and Container Security.
Index
Part 1: Introduction to Docker, Security Best Practices, and Scans
- Docker Technology: An Overview
- Docker Security: A Tricky Way
- Docker Security Best Practices
- Docker-Vulnerability Scan (Docker Bench for Security, AWS ECR, Trivy Overview)
Part 2: Docker Vulnerability Scanning
- Docker Vulnerability Scan Overview & Importance
- Docker Vulnerability Scan Tools in Detail
- Docker Bench for Security
- Dive
- Inspec
- AWS ECR
- Trivy
Part 3: QUALYS – Deploying sensor in AWS ECS Cluster
- Login to the Qualys
- Download the QualysContainerSensor.tar.xz file
- Download the container sensor
- Sensor package operations
- Push the Qualys sensor image to an AWS ECR repository
- Modify the cssensor AWS ECS JSON file
- Import the JSON file
- Task execution IAM role configurations
- Select the AWS Cluster
- Select the task definition
- Create task definition
- Final Qualys Container Security module
Deploying sensor in AWS ECS Cluster
To start with, please prepare the CS connector in Qualys:
1. Login to the Qualys
Login to Qualys. Go to Container Security and select the Configurations tab.
2. Download the QualysContainerSensor.tar.xz
Download the QualysContainerSensor.tar.xz file from Qualys Cloud Portal on a computer. Download General (Host) .tar.xz file.
3. Download the container sensor
Download the container sensor. A tar file containing the sensor docker image and the install script will be downloaded. The sensor is pre-configured to connect to the Qualys Cloud Platform.
Prerequisites: AWS ECS Cluster should be up and running.
4. Sensor package operations
Untar the sensor package: tar -xvf QualysContainerSensor.tar.xz
5. Push the Qualys sensor image to an AWS ECR repository
Use the following commands to push the Qualys sensor image to an ECR repository:
5.1. Load image to the local docker
5.2. Go to the AWS account and create ECR Repository
5.3. Check connection to AWS ECR
For example:
aws ecr get-login-password --region us-east-1 --profile xxxxxxx | docker login --username xxxx - password-stdin
xxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com
5.4. Tag the image
If the connection is successful, in this step we need to tag the image. For example:
docker tag xxxxxxxxxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/xxxxxxx-qualys-registery:latest
5.5 Push the image to ECR
docker push xxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/xxxxxxxxx-qualys-registery:latest
Note: Do not use the examples as they are. Replace the registry/image path with your own.
6. Modifying the cssensor AWS ECS JSON file
6.1 Modify the cssensor-aws-ecs.json file
Modify the cssensor-aws-ecs.json file (extracted from QualysContainerSensor.tar.xz) to provide values for the following parameters. For the JSON file to work properly, ensure that you do not remove/comment on the respective sections mentioned below.
Note that you can download the JSON file directly from here.
Activation ID and Customer ID are required. You can find your Activation ID and Customer ID in your Qualys subscription:
Modify with your Image information, ActivationID, and CustomerID:
6.2 Replace the image attribute
image:
xxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/xxxxxxx-qualyssensor:latest
6.3 Specify appropriate values for cpu (no. of vcpu) and memory (size in MB)
6.4 Remove proxy settings from JSON file
You need to delete the following parts:
a. Delete this part from the environment:
name: qualys_https_proxy, value:
proxy.qualys.com:3128
b. Delete this part from mountPoints:
sourceVolume: proxy-cert-path,
containerPath: /etc/qualys/qpa/cert/custom-ca.crt
c. Delete this part from Volumes:
name: proxy-certpath, host: {
sourcePath: /root/cert/proxy-certificate.crt
}
7. Import the JSON file
7.1. Import the JSON file into Amazon ECS UI to complete the sensor deployment.
7.2. On the Amazon ECS UI, under Task Definitions, click Create New Task Definition.
7.3. Select the launch type compatibility as EC2 (Fargate is not supported).
7.4. Provide the Task Definition name, and then provide Task Role, Network Mode, and Task Execution Role if applicable:
8. Task execution IAM role configurations
8.1. Scroll to the bottom of the page and select Configure via JSON option.
8.2. Remove any existing content and then copy-paste the entire contents of the cssensor-aws-ecs.json file.
8.3. Click Create to create the Task Definition. Once created, it should get listed under Task Definitions.
This article may interest you: Introduction to AWS Cloud Development Kit
8.4. Confirm if the task definition is created successfully
9. Select the AWS Cluster
Now go to Clusters and click the cluster name on which you want to deploy the sensor. Under the Services tab, click Create. Select the launch type as EC2.
10. Select the task definition
Select the Task Definition you created above and its revision, then select a cluster. Provide the Service name, Service type as “DAEMON”, and then configure Network, Load Balancing, and Auto Scaling if applicable.
11. Create task definition
Review the provided information, and then click Create to create the Service. Once created, it should get listed under Services. Verify that the service status is Active. In the tasks tab, verify that tasks are running on all ECS containers.
12. Final Qualys Container Security module
Now, you will see all details in the Qualys Container Security module:
Conclusion
In Part 3, “QUALYS – Deploying sensor in AWS ECS Cluster”, of our blog series, we discussed how to deploy your Qualys Container Sensor in AWS ECS Cluster. The deployment of this sensor is a crucial step in ensuring the security of your AWS infrastructure. By using this sensor, you will be able to monitor your containers for any vulnerabilities and take action to address them.
We hope that you found this article informative and helpful. In addition to our blog series, we also offer a variety of security services to help you stay secure. Check out our Vulnerability Management and Cloud Security services to learn more and stay protected.