You can utilize Alert Logic® to support containerized workloads in Amazon Web Services (AWS) by deploying the Alert Logic Agent Container. One Agent Container can be deployed per host in parallel to other containers on AWS instances to allow network traffic to be collected for inspection by Alert Logic Threat Manager™.
While Alert Logic's Protected Host agent is still required to protect traditional EC2 instances, this is not the case with containerized workloads. The Agent Container collects traffic from both containers and the base instance without installing the host agent.
Access to the Agent Container image is located on the official Docker Hub site. The Docker Hub site contains the pull command required to build the Agent Container on your desired AWS instance. The specific pull command is: docker pull alertlogic/al-agent-container
To run the Agent Container on an AWS deployment, your environment must meet the following requirements:
- It must be within AWS. Note: See the Improved Agent Container Security and Container Support Availability knowledge base articles for details on other deployment environments.
- It must use one or more of these platforms:
- Amazon Elastic Container Service
- Amazon Beanstalk Multicontainer Docker Environments
- Amazon Elastic Kubernetes Service
- Docker Swarm
- This is deployed as a standalone container, not a Swarm service.
- It must have the ability for the container to run in privileged mode, which is required to collect network traffic. Note: Some multi-tenant services, such as AWS Fargate, do not allow containers to run in privileged mode.
Agent Container Configuration Details
The Alert Logic GitHub repository contains definitions for Docker, Kubernetes, and ECS, as well as configuration information about the Agent Container that will help you deploy it efficiently.
How the Agent Container Works
Once the Agent Container is built and configured on the target AWS instance, it becomes part of the namespace within the containerized deployment. The Agent Container collects network traffic by binding to the Docker0 bridge that consolidates all container-relevant network traffic. The Agent Container will also poll the Docker API, which contains all container metadata at the Docker layer, as well as the metadata from additional orchestration tools, such as Kubernetes.
Once the Agent Container collects the network traffic from the parallel containers, the rest of the data workflow operates as it does today. The Agent Container sends the collected network traffic to a local Threat Manager appliance in the same VPC, unless otherwise configured. The IDS application analyzes the collected traffic and generates events for anything that deemed suspicious or malicious. These events are then sent from the appliance to the Alert Logic backend so that incidents can be generated, if necessary.
Container-Generated Incidents in the Alert Logic Console
Note: Network IDS, Log Management, and Web Application IDS customers deployed after August 7, 2018, and Alert Logic Cloud Insight™ customers with Amazon GuardDuty enabled, have access to the enhanced Incident Console and its features. This section currently only applies to these customers.
You can view container metadata on incidents that have been generated with your environment scope. In the Incidents Console, under Incidents > List > the specific incident, you'll see a topology view of your environment with the host and container that are affected by the incident highlighted in red. Click on the affected container and a side panel will appear with information, including key, type, name, private IP address, current state, created and modified dates, tags, and relationships.