Skip to main content

AWS ECS with Lacework Agent as a Daemon Service (EC2 Launch Type)

Overview

You can run the Lacework agent (datacollector) as a daemon service (EC2 Launch Type) on Amazon Elastic Container Service (Amazon ECS) in the host network mode.

When you run the Lacework agent as a daemon service on Amazon ECS, you can run your applications in the following network modes:

  • Bridge or host network mode without ENI trunking enabled for your AWS account
  • awsvpc, bridge, or host network mode with ENI trunking enabled for your AWS account

For more information about the Amazon ECS network modes, see Amazon ECS Task Networking.

Run Lacework Agent without ENI Trunking Enabled

To run the Lacework agent as a daemon service without ENI trunking enabled for your AWS account:

  1. Copy the following task definition JSON and edit appropriate fields. See Creating a Task Definition, EC2 Launch Type for more information.

    1. Replace TASK_EXECUTION_ROLE_ARN with an appropriate Amazon Resource Name (ARN). The ARN format is: arn:aws:iam::ACCOUNT_ID:role/ecsTaskExecutionRole
    2. Replace TASK_ROLE_ARN with an appropriate ARN for the task role.
    3. Replace LACEWORK_ACCESS_TOKEN with an agent access token from your Lacework account. For more information, see Agent Access Tokens.
    4. Replace LACEWORK_SERVER_URL with the agent server URL. For more information, see Agent Server URL.
  2. In the clusters in which you want to deploy the agent, create a daemon service using the task definition from step 1.

    The daemon service ensures that one Lacework agent runs on each node in your ECS cluster.

Task Definition JSON

{
"executionRoleArn": "TASK_EXECUTION_ROLE_ARN",
"containerDefinitions": [
{
"portMappings": [],
"cpu": 0,
"environment": [
{
"name": "LaceworkAccessToken",
"value": "LACEWORK_ACCESS_TOKEN"
},
{
"name": "LaceworkServerUrl",
"value": "LACEWORK_SERVER_URL"
}
],
"mountPoints": [
{
"readOnly": true,
"containerPath": "/laceworkfim",
"sourceVolume": "root"
},
{
"containerPath": "/var/lib/lacework",
"sourceVolume": "var_lib_lacework"
},
{
"containerPath": "/var/log",
"sourceVolume": "var_log"
},
{
"containerPath": "/var/run",
"sourceVolume": "var_run"
},
{
"readOnly": true,
"containerPath": "/etc/passwd",
"sourceVolume": "etc_passwd"
},
{
"readOnly": true,
"containerPath": "/etc/group",
"sourceVolume": "etc_group"
}
],
"volumesFrom": [],
"image": "lacework/datacollector",
"essential": true,
"privileged": true,
"name": "lacework-datacollector"
}
],
"placementConstraints": [],
"memory": "512",
"taskRoleArn": "TASK_ROLE_ARN",
"family": "lacework-datacollector",
"pidMode": "host",
"requiresCompatibilities": [],
"networkMode": "host",
"cpu": "512",
"volumes": [
{
"name": "var_log",
"host": {
"sourcePath": "/var/log"
}
},
{
"name": "root",
"host": {
"sourcePath": "/"
}
},
{
"name": "etc_passwd",
"host": {
"sourcePath": "/etc/passwd"
}
},
{
"name": "var_run",
"host": {
"sourcePath": "/var/run"
}
},
{
"name": "etc_group",
"host": {
"sourcePath": "/etc/group"
}
},
{
"name": "var_lib_lacework",
"host": {
"sourcePath": "/var/lib/lacework"
}
}
]
}

Run Lacework Agent with ENI Trunking Enabled

To run the Lacework agent as a daemon service with ENI trunking enabled for your AWS account:

  1. Enable ENI trunking for your AWS account. For more information, see Elastic Network Interface Trunking.
  2. In the agent task definition, add a LaceworkConfig environment variable to disable the CNI setting in Lacework agent’s configuration as shown below:
    {
    "name": "LaceworkConfig",
    "value": "{\"k8s\": {\"cni\": \"disable\" }}"
    }

The full task definition is given below. Update the following attributes for your environment:

  1. Replace TASK_EXECUTION_ROLE_ARN with an appropriate Amazon Resource Name (ARN) for the task execution role. The ARN format is: arn:aws:iam::ACCOUNT_ID:role/ecsTaskExecutionRole
  2. Replace TASK_ROLE_ARN with an appropriate (ARN) for the task role.
  3. Replace LACEWORK_ACCESS_TOKEN with an agent access token from your Lacework account. For more information, see Agent Access Tokens.
  4. Replace LACEWORK_SERVER_URL with the agent server URL. For more information, see Agent Server URL.

Task Definition JSON

{
"executionRoleArn": "TASK_EXECUTION_ROLE_ARN",
"containerDefinitions": [
{
"portMappings": [],
"cpu": 0,
"environment": [
{
"name": "LaceworkAccessToken",
"value": "LACEWORK_ACCESS_TOKEN"
},
{
"name": "LaceworkConfig",
"value": "{\"k8s\": {\"cni\": \"disable\" }}"
},
{
"name": "LaceworkServerUrl",
"value": "LACEWORK_SERVER_URL"
}
],
"mountPoints": [
{
"readOnly": true,
"containerPath": "/laceworkfim",
"sourceVolume": "root"
},
{
"containerPath": "/var/lib/lacework",
"sourceVolume": "var_lib_lacework"
},
{
"containerPath": "/var/log",
"sourceVolume": "var_log"
},
{
"containerPath": "/var/run",
"sourceVolume": "var_run"
},
{
"readOnly": true,
"containerPath": "/etc/passwd",
"sourceVolume": "etc_passwd"
},
{
"readOnly": true,
"containerPath": "/etc/group",
"sourceVolume": "etc_group"
}
],
"volumesFrom": [],
"image": "lacework/datacollector",
"essential": true,
"privileged": true,
"name": "lacework-datacollector"
}
],
"placementConstraints": [],
"memory": "512",
"taskRoleArn": "TASK_ROLE_ARN",
"family": "lacework-datacollector",
"pidMode": "host",
"requiresCompatibilities": [],
"networkMode": "host",
"cpu": "512",
"volumes": [
{
"name": "var_log",
"host": {
"sourcePath": "/var/log"
}
},
{
"name": "root",
"host": {
"sourcePath": "/"
}
},
{
"name": "etc_passwd",
"host": {
"sourcePath": "/etc/passwd"
}
},
{
"name": "var_run",
"host": {
"sourcePath": "/var/run"
}
},
{
"name": "etc_group",
"host": {
"sourcePath": "/etc/group"
}
},
{
"name": "var_lib_lacework",
"host": {
"sourcePath": "/var/lib/lacework"
}
}
]
}