Views:

Use the trendmicro:patch-exclude=true AWS tag to prevent the Task Definition Patcher from modifying task definitions in a specific ECS cluster, without disabling Runtime Security from the TrendAI Vision One™ console.

By default, when Runtime Security is enabled on an Amazon ECS cluster, the Task Definition Patcher automatically modifies Fargate task definitions to include Container Security containers. If you want to keep Runtime Security enabled in the console for a cluster but prevent the patcher from applying changes to that cluster's task definitions, you can apply the trendmicro:patch-exclude=true tag directly to the ECS cluster resource in AWS.
Important
Important
  • The tag value is case-sensitive. Only the exact lowercase value true triggers exclusion. Values such as True, TRUE, 1, or yes are treated as not excluded.
  • The tag must be applied to the ECS cluster resource, not to individual services or task definitions.
  • Applying this tag is passive. It does not remove Container Security from task definitions that have already been patched. To remove existing patches, you must disable Runtime Security on the cluster from the TrendAI Vision One™ console.
  • Because TrendAI Vision One™ charges are based on the Runtime Security and Runtime Scanning toggle states, you should also disable both toggles on the cluster in the TrendAI Vision One™ console when applying this tag, to avoid unexpected charges.

Patching behavior with the exclusion tag

The following table describes how the Task Definition Patcher behaves depending on whether the trendmicro:patch-exclude=true tag is present on the cluster.
Trigger
Tag absent
Tag present (true)
Runtime Security enabled on the cluster
Cluster is patched
Cluster is marked as enabled in the console, but no patches are applied
CloudFormation stack create or update reconciles the cluster
Cluster is patched or refreshed
Cluster is left untouched
ECS service deployment event fires for the cluster
Service is patched
Skipped
Standalone task state-change event fires for the cluster
Task is patched
Skipped
Runtime Security disabled on the cluster
Cluster is depatched
Cluster is depatched
CloudFormation stack is unistalled
Cluster is depatched
Cluster is depatched
Tags added to a cluster (no other action taken)
N/A
Nothing happens automatically — existing patches remain in place
Tags removed from a cluster
N/A
Nothing happens automatically — the patcher will resume patching on the next reconciliation, service deployment, or task event

Common use cases

Control which clusters get patched
Apply the trendmicro:patch-exclude=true tag to clusters you want to keep outside the patcher's scope. New patches will not be applied to those clusters; any task definitions that were already patched are left as-is.
Fully remove Container Security from an excluded cluster
Disable Runtime Security on the cluster from the TrendAI Vision One™ console. Depatching always runs regardless of whether the exclusion tag is present.
Re-enable patching for a previously excluded cluster
Remove the trendmicro:patch-exclude=true tag from the cluster in AWS. The patcher will resume on the next reconciliation, ECS service deployment, or task event. No additional action is required in the TrendAI Vision One™ console.

Apply the exclusion tag in AWS

  1. Sign in to the AWS Management Console and navigate to Amazon ECS.
  2. Select Clusters and click the name of the cluster you want to exclude.
  3. On the cluster detail page, click the Tags tab.
  4. Click Manage tags, then click Add tag.
  5. Enter the following values, then click Save:
    • Key: trendmicro:patch-exclude
    • Value: true
Important
Important
Enter the tag value as true in lowercase. Any other capitalization is ignored by the patcher.