Post banner
Cloud SecurityContainer Security & Orchestration 3 Min Read

Making debugging easier on Fargate

What is Fargate?

Fargate was launched by AWS in 2017.  It’s a serverless compute engine that deploys and runs containers without the need to manage servers or clusters of virtual machines. By eliminating the need to manage additional infrastructure, Fargate helps Ops teams and developers focus on what they do best i.e.,  develop and deploy application code. 

Threat Stack gives visibility into Fargate workloads by looking for malevolent processes and network activity, guarding against threats like data exfiltration. For example, it enables monitoring of both East-West and North-South netflows. Here is a comprehensive look at the detections that Threat Stack offers for Fargate.

Debugging Fargate

One challenge with deploying on Fargate workloads has been the lack of tooling to debug a running Fargate task in real-time. Questions on how to debug running Fargate tasks or the equivalent of docker exec’ing into a Fargate container have been frequent (example: here and here). 

AWS is launching a new “Amazon ECS Exec” feature today that addresses these debugging challenges. The “ECS Exec” feature mirrors “docker exec” functionality in ECS containers and tasks running on Fargate and EC2, and provides additional tooling to help quickly debug container workloads. “ECS Exec” also makes it simple to collect stats, look at configurations, running processes and logs inside the ECS container running either on Fargate or EC2.

Here’s a preview of how to get started with this feature.

  1. Update your existing Fargate cluster with the `configuration` flag
aws ecs update-cluster \
    --cluster my-fargate-cluster \
    --configuration executeCommandConfiguration="{logging=OVERRIDE,logConfiguration={cloudWatchLogGroupName=myfargate-logging,s3BucketName=`myfargate-logging`,s3KeyPrefix=myfargate}}"

2.  Run your Fargate task with the `enable-execute-command` flag

aws ecs run-task \
    --cluster my-fargate-cluster  \
    --task-definition my-fargate-taskdefinition \
    --enable-execute-command \
    --launch-type FARGATE \
    --platform-version '1.4.0' \

3. Now exec into your running Fargate task with this simple command

aws ecs execute-command  \
    --cluster my-fargate-cluster \
    --task $TASKID \
    --container sample-app \
    --command "/bin/sh" \
    --interactive    

At this point you now have an interactive shell that allows you to dive into logs, running processes, etc. Here is a link to the AWS documentation that dives into detail about setting up prerequisites like VPCs, IAM policies, aws-cli, connection encryption options, etc.

ECS Exec will certainly be a powerful tool to inspect container workloads on ECS. However, as with any privileged user activity in containers, it should be monitored to ensure it is being used according to security best practices and doesn’t increase the threat surface.

Next Steps

AWS and Threat Stack worked closely together in the development of our Fargate monitoring solution. Since then, we’ve had an opportunity to trial this new feature and test it prior to its release. 

In the example below, we show how the Threat Stack agent for Fargate is able to detect a process enabled by the ECS Exec feature. 

Threat Stack can also provide detail about the interactive session that was invoked, allowing for further investigation.

What’s more, we are currently working on a series of additional optimizations in the Fargate agent that will bring added visibility into process activity and network requests initiated via the ECS Exec feature. 

Stay tuned for this upcoming release and learn more about Threat Stack’s Container Security Monitoring for AWS Fargate here