Skip to main content
Cequence Defender

Search

Installing Defender on ECS

© 2024 Cequence Security. All Rights Reserved.

Installing Defender on ECS

  • Updated on
  • ~ minute read
Download PDF

The Terraform configuration in this article deploys Cequence Defender in an AWS environment using Amazon's Elastic Container Service (ECS) and launches using Fargate. This setup supports static configurations with existing VPCs and a network load balancer with EC2 and a secrets manager.

Terraform provisioning

The Terraform configuration provided in this article provisions the following aspects.

  • AWS Infrastructure: VPC, subnets, security groups, and networking components (optional).
  • ECS Cluster: Runs the Cequence Defender application using an EC2 instance.
  • Load Balancer: Network Load Balancer (NLB) with optional TLS termination.
  • Auto Scaling: Configurable scaling for ECS tasks and EC2 instances, if applicable.
  • Security: IAM roles, security groups, and Secrets Manager integration.

Prerequisites

Confirm that your enviroment meets these prerequisites before you begin the procedure.

Tools

  • Terraform: Version 1.5.0 or later. Install from terraform.io/downloads.
  • AWS CLI: Version 2.x. Install from AWS CLI documentation and configure with aws configure.
  • Docker: Required for pulling and pushing container images. Install from docker.com.

AWS account configuration

  • AWS Credentials: An IAM user or role with permissions for the following items.
    • EC2
    • ECS
    • ECR
    • VPC
    • IAM
    • S3
    • ACM
    • Secrets Manager
    • CloudWatch Logs
    • Auto Scaling
  • Configure credentials using the AWS CLI or environment variables.
    • AWS_ACCESS_KEY_ID
    • AWS_SECRET_ACCESS_KEY
  • ECR Repository: A customer-specific ECR repository, in the form <ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com/defender:latest. Replace <ACCOUNT_ID> and <REGION> with values appropriate to your use case.
  • Secrets Manager (Optional): When you use AWS secrets, confirm that the secrets manager contains valid Client ID and Client Secret values.

Cequence Defender image

  • Registry Access: Confirm that your Cequence team has provided credentials for the Defender image registry.
  • Version: This article uses the 5.5.1 release of Cequence Defender.

Preparing the Cequence Defender image

  1. Download the configuration compressed archive package.
    The compressed archive package name is defender-ecs-tf.tar.gz.
  2. Run the following commands to extract the compressed archive and navigate to the directory that contains the contents.
    tar -xzf defender-ecs-tf.tar.gz
    cd defender-ecs-tf

  3. Run the following commands to set up environment variables for later use.

    export DEFENDER_VERSION=latest
    export CUSTOMER_REGISTRY=<AWS account ID>.dkr.ecr.<REGION>.amazonaws.com
    export REPO_NAME=defender

    Replace <AWS account ID> with your actual AWS account ID.

  4. Run the following commands to log in to the Cequence image registry and to ECR.
    docker login registry.gitlab.com -u <username> -p <password
    aws ecr get-login-password --region <aws-region> | docker login --username AWS --password-stdin ${CUSTOMER_REGISTRY}
  5. Run the following commands to pull, tag, and push the Cequence Defender image.
    docker pull registry.gitlab.com/cequence/releases/defender:${DEFENDER_VERSION}
    docker tag registry.gitlab.com/cequence/releases/defender:$(DEFENDER_VERSION} ${CUSTOMER_REGISTRY/${REPO_NAME}:${DEFENDER_VERSION}
    docker push ${CUSTOMER_REGISTRY/${REPO_NAME}:${DEFENDER_VERSION}

Generating a client ID and a client Secret

Several Cequence components must authenticate to the Cequence UAP platform in order to transmit and receive data. Create authentication credentials in the Cequence UAP platform to enable this authentication.

  1. Log in to the UAP management portal UI.
    The URL for the management portal is typically of the form https://ui.<your-tenant-name>.<domain>. Replace <your-tenant-name> with the name of your Cequence tenant organization. Replace <domain> with your domain name.
  2. Select General Settings > User Management.
    The User Management pane appears.
  3. Click the Clients tab.
  4. Click Add New Client.
    The new client dialog box appears.
  5. Type the client name in the Client Name field.
    This name is the client ID. Note the client ID for later use.
  6. Enable the Traffic Management toggle.
  7. (Optional) To change the token lifespan from the default of 1800 seconds, type a whole number of seconds in Token Lifespan.
  8. Click Save.
    A dialog box with the client secret appears.
  9. Click the blue Copy icon to copy the secret to the clipboard, then click Close.
    The client is now set up. Note the client name for future use.
    The client list appears.
  10. Note the value of the client secret for later use. This value will not be shown again later on the UI for security reasons.

Installing with Terraform

  1. Run the following command to make a copy of the example terraform.tfvars.example file.
    cp terraform.tfvars.example terraform.tfvars

  2. Edit the terraform.tfvars file to add values particular to your use case.

    • aws_region: Your AWS region.
    • ecr_repository: Your ECR repository URI, in the form  ${CUSTOMER_REGISTRY}/defender:5.5.1
    • project_name, uap_sub_domain: Your project and subdomain details.
    • use_existing_vpc: Set to true, then provide values for existing_vpc_id, ecs_subnet_ids, and lb_subnet_ids.
    • acm_certificate_arns: Provide a list of Amazon Resource Names (ARNs). ARNs are typically in the format arn:aws:acm:us-<regioncode>:<accountID>:certificate/<certificateID>.
    • use_aws_secret: Set to true when you use the AWS secret manager. Confirm that the credential key/value pairs for the ClientId and ClientSecret keys are available in the secret manager.
    • client_id, client_secret or secret_name: Set these values when you are not using the AWS secret manager.
    • upstream_server: Set the value of this variable to the address of your upstream server. This value is required when the value of the upstream_config_type variable is static, as it is in this case.

    For a complete reference, see terraform.tfvars.example.

  3. Run the following commands to apply Terraform.
    terraform init
    terraform plan -out=tfplan
    terraform apply tfplan
  4. Perform the following checks to confirm deployment.
    • Check the output of lb_endpoint for the DNS name.
    • Verify that cluster tasks are running by checking the AWS Management Console under ECS > Clusters.
    • When enable_logging is set to true, check CloudWatch Logs in /ecs/<app_name>-<random_id>.

Configure EC2 with Secrets Manager

Set the following variables in AWS.

aws_region = "<REGION>"
use_existing_vpc = true
existing_vpc_id = "<vpc>"
ecs_subnet_ids = ["<subnets>"]
lb_subnet_ids = ["<subnets>"]
app_name = "defender"
project_name = "my-project"
uap_sub_domain = "<Desired_domain>"
ecr_repository = "${CUSTOMER_REGISTRY}/defender:latest"
upstream_config_type = "s3-v2"
use_existing_bucket = false
new_bucket_name = "my-defender-config"
new_bucket_prefix = "config"
cdn_app_map_file_path = "./cdn_app_map.json"
lb_type = "application"
enable_logging = true
acm_certificate_arns = "<list of ARNs>"

Cleanup

Run the following command to clean up all resources.

terraform destroy

Confirm at the prompt.

Was this article helpful?
Japanese (Japan)