Sysdig Offers a Real-Time Security Look into AWS’ Fargate Serverless Containers

Amazon Web Services’ Fargate is a very popular serverless compute engine for containers. In part that’s because it hides the complexities of how Kubernetes works with both Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS). That means Fargate enables you to run containers without having to manage the hosts that run those clusters or the container engine powering them. That’s the good news.
The bad news is you have no clue about the security underneath your containers. That’s where Sysdig‘s new runtime security detection and response service for AWS Fargate comes in.
This is not a small thing. As Jacob Williams, founder and president, Rendition InfoSec, and SANS Institute Instructor, said in a statement, “Without threat detection and access to detailed audit trails for investigations, companies have no way of knowing what exactly is going on and who is accessing their data.”
This new addition to Sysdig Secure DevOps Software-as-a-Service (SaaS) Platform provides runtime security detection and response for Fargate. It also gives sysadmins and security staff detailed audit logs so they can track and respond to incidents.
The company announced the new technology last week at KubeCon + CloudNativeCon EU 2021.
It also comes with what Sysdig claims is the first file integrity monitoring (FIM) capability. You must have this if you’re using your containers for dealing with credit and cash card payments using Payment Card Industry Data Security Standard (PCI DSS). Put it all together and you get a unified view across Fargate, ECS, and EKS, so you can spot misconfigurations, vulnerabilities, and runtime threats.
Specifically, Sysdig provides deep runtime visibility for AWS Fargate using Linux syscall
data. This approach works regardless of what language your applications are written in. C, Go, Rust, whatever, it doesn’t matter. This service hunts for trouble at a lower level.
Next, incident response for Fargate is dependent upon having detailed audit trails and forensics data. Therefore, it’s helpful that Sysdig captures and records all your Fargate activity and correlates it with AWS and Kubernetes data. You can, of course, use this data to understand what happened and take action. It can also serve as proof of compliance for audit requirements.
Finally, the service also provides a unified view across Fargate. This lets you see the entire attack chain. To protect your workloads, it identifies potential image vulnerabilities, suspicious file activity, misconfigurations, and suspicious configuration changes, such as deleting CloudTrail logs or changing access rights to sensitive data. You can also classify incidents based on severity levels and track specific users.
All this functionality is based on Sysdig’s open-source runtime security program Falco. This Cloud Native Computing Foundation (CNCF) program is Kubernetes de facto Kubernetes threat detection engine. It “sees” threats by using both its own kernel module, the Sysdig Kernel, and the popular extended BPF (eBPF). All of the Sysdig components, and more, were recently donated to the CNCF.
Falco works by searching for anomalous activity in applications. Falco does this by auditing at the Linux kernel layer. In addition, it collects container runtime and Kubernetes metrics. In its commercial version, Sysdig has worked with AWS to include a comprehensive look into AWS Fargate containers.
Fernando Zandona, AWS’s General Manager, Serverless Containers, explained, “open-source Falco has strong momentum and with its syscall approach, it’s designed to provide comprehensive AWS Fargate threat detection. We have worked with Sysdig on this integration with the ultimate goal of giving AWS Fargate users deeper visibility to manage risk.”
In short, AWS thinks Sysdig Secure DevOps is pretty good.