Skip to main content

Sensor on AWS Fargate

Prerequisites

  • AWS profile access key and secret access key saved at path ~/.aws/credentials file
  • The profile should have all the required permissions as listed here

Install Sensor on Fargate

The pcap Sensor can be installed as a sidecar on an existing AWS task by adding to its task definition via the AWS Console.

The steps to add the sensor to your task are as follows

  • Go to Task Definitions
  • Select the required task definition
  • Click on Create revision with JSON
  • Add the given JSON object under ContainerDefinitions
  • Replace the values for satellite-url, levo-env and levoai-org-id in entrypoint.
  • Replace the values for Environment and LogConfiguration as per your requirement.
  • Set the cpu limit as number of CPU Units (Note: 1 core = 1024 CPU Units)
  • Set the memory limit in Mib (Note: memory should not exceed the Task memory limit)
{
    "name": "levo-pcap-sensor",
    "image": "levoai/pcap-sensor:0.1.3",
    "cpu": 512,
    "memory": 512,
    "portMappings": [],
    "essential": false,
    "entryPoint": [
        "./bin/init",
        "apidump",
        "--satellite-url",
        "< INSERT SATELLITE URL (http(s)://hostname|IP:port) >",
        "--levo-env",
        "<INSERT APPLICATION ENVIRONMENT (staging, production etc.)>",
        "--levoai-org-id",
        "< INSERT LEVO ORG ID >",
        "--rate-limit",
        "<INSERT NUMBER OF TRACES PER MINUTE>"
    ],
    "environment": [
        {
            "name": "LEVO_AWS_REGION",
            "value": "< INSERT AWS REGION (us-west-2) >"
        }
    ],
    "mountPoints": [],
    "volumesFrom": [],
    "logConfiguration": {
        "logDriver": "awslogs",
        "options": {
            "awslogs-group": "< INSERT LOGS IDENTIFIER (/ecs/your-application-pcap) >",
            "awslogs-create-group": "true",
            "awslogs-region": "< INSERT AWS REGION (us-west-2) >",
            "awslogs-stream-prefix": "ecs-pcap"
        }
    }
}

Specify additional flags in the entrypoint

--trace-export-interval     # default 10s
--rate-limit                # number of traces per minute
--filter                    # eg. port 8080 and (not port 8081)
--host-allow                # regex for allowed hosts
--path-allow                # regex for allowed paths
--host-exclusions           # regex for excluded hosts
--path-exclusions           # regex for excluded paths

AWS Permissions needed

Add the AmazonECS_FullAccess policy to get access to all the necessary permissions.

ActionResourcePurpose
ec2:DescribeRegions*Find the list of AWS regions you have enabled. (If not present, defaults to a precompiled list.)
ecs:ListClusters*Find the available ECS clusters.
ecs:DescribeClusters, or restricted to account like arn:aws:ecs:::cluster/*Look up the names of the available ECS clusters.
ecs:ListTaskDefinitionFamilies*Find the available task definitions.
ecs:DescribeTaskDefinition*Read the existing task definition in order to copy it.
ecs:RegisterTaskDefinition*Write a new version of the task definition.
ecs:ListServices*Find the available services.
ecs:DescribeServices*, or restricted to your account, or restricted to the cluster you selectedIdentify which services are using the task definition you selected.
ecs:UpdateService*, or restricted to your account, or restricted to the cluster you selectedUpdate and restart the service using the new task definition.
ecs:TagResource*, or restricted to your account, or restricted to the cluster you selectedMark the service as having been updated by Levoai.