Lacework Agent + AWS Fargate Guide

Table of contents

• Change log
• Overview
• Best practices
• Prerequisites
• Installation steps
• Provide feedback

Change log

Date	Author	Comment
January 2022	Allie Fick	Revised to align with Lacework's best practice guide template. Completed editorial review.
September 2021	Diana Esteves	We're embracing Docker's multistage build feature when baking the agent. Updated best practices to include 1 agent token:1 service recommendation Updated one-liner and corresponding entrypoint to start the agent service. Updated sidecar reqs. We now have several example Dockerfiles and helper scripts. 🤩 See /examples.
August 2021	Diana Esteves	Initial public release for this guide. Thank you to all the amazing Lacers who provided valuable feedback!

Overview

Two options are available to install the Lacework agent in AWS Fargate. We highly recommend the baking solution because it pre-installs and configures the agent directly in the Docker image.

Prerequisites

• The base image in your Dockerfile must be based on one of the Linux distros found here.
• As the Lacework agent user gathers network packet data, it needs to be run with sudo privileges. The Lacework agent must be run as root.
• The user must have valid access token(s) for the Lacework agent. These can be obtained via the Lacework CLI (see Installing the CLI & Creating a Token bash script for a simple example) or, alternatively, navigate to https://YOUR-ORG.lacework.net/ui/investigation/settings .
• The AWS Identity and Access Management (IAM) user used needs permissions listed in AmazonECSTaskExecutionRolePolicy.
• The Lacework agent needs to reach Lacework’s API endpoint. The default endpoint is https://api.lacework.net. See other endpoints here.
• If leveraging the sidecar alternative, review additional requirements.

Best practices

• Install the agent directly into your existing application Dockerfile(s):
  • Use multistage builds.
  • When building the Docker image, place the Lacework agent token in the container definition as an environment variable to securely pass it in.
• Allocate 512 MB vCPU and 1 GB RAM for the Lacework agent.
• Use one Lacework agent token per container (TaskDefinition Service).

Installation steps

Two primary options to install the Lacework Agent in AWS Fargate are available. The recommended method is to bake the Lacework agent directly in the Docker image. We encourage using multistage builds; however, a version without multistage builds is also documented below:

Navigate to the corresponding configuration below to view the installation steps.

• Recommended: Bake the Lacework Agent in the Docker Image Using Multistage Builds
• Bake the Lacework Agent into Existing Dockerfile Sans Multistage Build
• Use a Sidecar

Provide feedback

To provide feedback on this guide, submit a pull request or email diana@lacework.com.