You can utilize Alert Logic® to support containerized workloads in Amazon Web Services (AWS) by deploying the Alert Logic Agent Container. One Agent Container can be deployed per host in parallel to other containers on AWS instances to allow network traffic to be collected for inspection by Alert Logic Threat Manager™.
In the past, customers were directed to use the Alert Logic Universal Agent to protect AWS instances that were running containers. With the Agent Container, this is no longer required. The Agent Container collects traffic from both containers and the base instance without installing the host agent.
Access to the Agent Container image is located on the official Docker Hub site. The Docker Hub site contains the pull command required to build the Agent Container on your desired AWS instance. The specific pull command is: docker pull alertlogic/al-agent-container
To run the Agent Container, your environment must meet the following requirements:
- It must be within AWS. Note: Support for Microsoft Azure is scheduled for late 2018.
- It must use one or more of these platforms:
- Amazon Elastic Container Service (ECS)
- It must have the ability for the container to run in privileged mode, which is required to collect network traffic. Note: Some multi-tenant services, such as AWS Fargate, do not allow containers to run in privileged mode.
Agent Container Configuration Details
The Alert Logic GitHub repository contains definitions for Docker, Kubernetes, and ECS, as well as configuration information about the Agent Container that will help you deploy it efficiently.
How the Agent Container Works
Once the Agent Container is built and configured on the target AWS instance, it becomes part of the namespace within the containerized deployment. The Agent Container collects network traffic by binding to the Docker0 bridge that consolidates all container-relevant network traffic. The Agent Container will also poll the Docker API, which contains all container metadata at the Docker layer, as well as the metadata from additional orchestration tools, such as Kubernetes.
Once the Agent Container collects the network traffic from the parallel containers, the rest of the data workflow operates as it does today. The Agent Container sends the collected network traffic to a local Threat Manager appliance in the same VPC, unless otherwise configured. The IDS application analyzes the collected traffic and generates events for anything that deemed suspicious or malicious. These events are then sent from the appliance to the Alert Logic backend so that incidents can be generated, if necessary.