Sysdig announced automated inline image scanning for AWS Fargate containers, directly in Amazon Elastic Container Registry (ECR). Sysdig is the first container and Kubernetes security platform to offer inline scanning for Fargate, which doesn’t require customers to share images or registry credentials outside of their Amazon Web Services (AWS) environment.
Sysdig also announced the addition of threat detection using AWS CloudTrail with Falco, the runtime security tool created by Sysdig, and now a CNCF project. The announcement today focuses on closing the visibility and security gap for organizations running on AWS, including in serverless environments like Fargate.
The Sysdig Secure DevOps Platform is based on open source technologies. By marrying rich data with context, Sysdig provides deep visibility to organizations looking to embed security, validate compliance, and maximize availability across their entire infrastructure. The Fargate and CloudTrail integrations are available to current and new Sysdig customers today.
The challenge of securing AWS workloads
The ultimate goal of moving to the cloud is to innovate faster. Fargate is a managed container environment from AWS that helps run serverless containers at scale. Today, AWS customers launch tens of millions of containers on Fargate each week.
It enables organizations to run applications in Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS) without having to spend time managing the underlying infrastructure; however, security and visibility are a challenge.
A best practice in AWS container and Kubernetes-based environments is to scan images directly within registries and CI/CD pipelines. Image scanning manages risk by detecting vulnerabilities and misconfigurations during both development and production.
Most third-party security solutions are unable to scan inside the AWS environment and require sharing image and registry credentials outside of AWS, increasing the risk.
Another challenge in cloud-based, containerized environments is that data collected across infrastructure and managed services is often viewed in different tools. Providing correlation and a consistent view and reporting experience improves efficiency. This provides insights that ultimately enhance security and performance.
Cloud and operations teams need to be able to implement a secure DevOps approach that allows them to efficiently gain insights and take actions to reduce risk and ensure compliance, performance, and availability.
Closing the visibility and security gap
The first Fargate inline scanning increases visibility and reduces risk – By extending the Amazon ECR integration to listen for Fargate tasks, Sysdig triggers automated scans directly within Amazon ECR. With this unique inline scanning approach, registry credentials and image contents are not shared outside of the AWS environment. This enables DevOps teams to stay in control over images since they are not sent to a backend or exposed to a staging repository, rather only the scanning results are sent to the Sysdig backend.
Automated and faster CloudTrail threat detection with Falco – CloudTrail provides event history of AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This data can be helpful in understanding unusual activity in AWS Cloud environments, including security events. Inspection of CloudTrail logs, however, has been a manual process up to this point, forcing cloud teams to monitor the AWS console to identify issues.
With this announcement, Sysdig introduces integration with AWS CloudTrail by extending the Falco engine to ingest CloudTrail logs. Users can now detect threats across containers, hosts, Kubernetes, and AWS services using a single-policy interface. As an open source project, Falco brings a community-driven mindset and a flexible and unique approach to setting policies for securing AWS environments.
With more than 50 out-of-the-box Falco rules being added over the next month, it is easy for organizations to implement best practices with policies that automatically detect unusual access rights with changes to IAM policies, publicly exposed accounts and services, unauthorized access, and other anomalies.
Providing a commercial interface for Falco is unique to Sysdig, which provides enterprise-grade threat detection support based on open source standards and community-driven Falco rules. Being able to manage threat detection rules as policy as code is also a benefit to Sysdig customers.
Fargate and Lambda monitoring – In addition to providing security for AWS Fargate, Sysdig also adds monitoring for core AWS services, such as Fargate and AWS Lambda, in addition to already offered ECS and EKS monitoring.
With native support for Prometheus from Sysdig, DevOps teams can monitor AWS cloud services and serverless entities, along with their Kubernetes environments. Having access to correlated data on performance, health, and availability issues saves teams time and arms teams to make better-informed decisions.
Sysdig can then show information about workloads running in Fargate and functions running in Lambda alongside container, Kubernetes, and services metrics. Curated Prometheus exporters, dashboards templates, and documentation for Fargate and Lambda can be found on PromCat.io, an open source repository of Prometheus integrations maintained by Sysdig as a community resource.
“When using the public cloud, there is a shared security responsibility model, where the customer is responsible for securing its data. Our goal is to close the visibility and security gap as cloud teams move critical applications to production,” said Suresh Vasudevan, chief executive officer at Sysdig.
“Adding inline Fargate scanning and automated CloudTrail support is the latest step in our vision of providing a single platform to support a secure DevOps workflow, as they accelerate application delivery.”
A SaaS-first approach to secure DevOps
The Sysdig Secure DevOps Platform provides organizations a SaaS-first platform to address the most critical security, compliance, and monitoring functions, allowing teams to ship cloud applications faster.
The Sysdig platform delivers image scanning, Kubernetes and container monitoring, application and cloud service monitoring, runtime security, compliance, threat detection and prevention, incident response, and forensics at scale.
With ContainerVision, Sysdig collects and correlates granular data from infrastructure, services, and applications. Sysdig then contextualizes that with Kubernetes and AWS service data, using Sysdig ServiceVision, to provide a consistent, single view of the entire infrastructure.
Without a macro view of the environment, it is difficult to anticipate issues with microservices that have cross-platform dependencies. With the information, ImageVision then identifies and prevents images with vulnerabilities or misconfigurations from being shipped. In the event of an issue, having system-wide visibility can facilitate quicker resolutions.
Sysdig continues to collaborate with AWS on providing the deepest visibility and security within AWS environments.
Earlier this month, Sysdig announced that it was a launch partner for AWS Outposts, a fully managed service that extends AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a consistent hybrid experience.
With early access to Fargate 1.19, the Sysdig team worked on a series of Falco optimizations that were released in April.