Qualys Container Security can be used to secure AWS Fargate. AWS Fargate is a serverless compute engine for containers that works with Amazon Elastic Container Service (ECS). This feature allows you to know the containers running on AWS Fargate, perform vulnerability and compliance scanning on container images launched by Amazon Fargate tasks (ECS), and view the findings to take remediation actions.
Since AWS Fargate is serverless, the solution launches sensor whenever the new Fargate task is being deployed. We will use AWS CloudFormation and a Qualys Lambda function to trigger scanning automatically. You’ll configure a CloudFormation template with your subscription details and a Qualys Lambda function with the Qualys S3 bucket name & S3 bucket key to trigger image scanning of images pulled from Amazon Elastic Container Registry (ECR).
We support scanning Docker images pulled from Amazon Elastic Container Registry (Amazon ECR) with x86_64 architecture.
When an AWS ECS Fargate task is launched, the AWS EventBridge rule created during Qualys deployment consumes the event. The EventBridge rule is set in such a way that it triggers the Qualys scanning Lambda function. The Qualys Lambda function then processes the event received from EventBridge to decide on image scanning. The Qualys Lambda function launches the AWS CodeBuild to run the Qualys sensor, which pulls the image from Amazon ECR and then performs the vulnerability and compliance scan on the image. After a successful image scan, image metadata gets uploaded to the Qualys Cloud Platform for evaluation, and users can view details from the Container Security UI and API.
Go to the Serverless tab in the Configurations section. From here, click the Show Instructions button to open the Qualys Container Security Sensor Deployment Guide for configuration steps. After you complete the one-time configuration, all images deployed from Amazon ECS tasks in AWS Fargate will be scanned automatically and the results will be uploaded to your account.
You’ll see images listed on the Assets > Images list. To find images that were part of your AWS ECS Fargate task, use the following QQL query.
source: SERVERLESS_FARGATE
Like with other images, you can drill-down into image details by selecting View Details from the Quick Actions menu.
You’ll see containers listed on the Assets > Containers list. To find AWS Fargate containers, use the following QQL query.
source: SERVERLESS_FARGATE
Click View Details from the Quick Actions menu to drill-down into container details and you'll see a section with AWS Fargate information.
Go to Configurations > Sensors and use the QQL query below to find sensors for AWS Fargate.
sensorType: SERVERLESS_FARGATE
Like with other sensors, you can drill-down into sensor details by selecting View Details from the Quick Actions menu.