Views:
Feature
Description
Runtime Security
Provides visibility into any activity of your running containers that violates a customizable set of rules.
Important
Important
TrendAI™ recommends allocating at least an additional 0.5 vCPU and 1 GB memory to your ECS cluster node size on top of your existing requirements before enabling the Runtime Security feature. This is a general-purpose recommendation and can be adjusted based on cluster node size and observed CPU and memory usage. See Adjust the CPU and memory allocations for ECS clusters for more information.
Runtime Scanning
Provides visibility of operating system and open source code vulnerabilities that are part of containers running in clusters.
Important
Important
  • Vulnerability Runtime Scanning supports clusters with pure ARM64 CPU nodes or pure x86_64 CPU nodes. Mixed CPU modes are not supported.
  • A vulnerability scan occurs for each newly-deployed image, and then is rescanned every 24 hours.
  • Vulnerability Runtime Scanning occurs on all active images inside the ECS cluster, including both ECR and non-ECR images.
  • Container Security scans containers in an ECS cluster on a schedule (every 5 minutes). After finding a new uncached image, Container Security posts a scan request to the scan queue, which triggers a SBOM generation in the scan Lambda. This SBOM is uploaded to AsaaS for a vulnerability scan.

Procedure

  1. Go to Cloud SecurityContainer SecurityInventory/Overview.
  2. In the tree, click Amazon ECS, locate and click the cluster in the list.
  3. Turn on Runtime Security.
  4. Turn on Runtime Scanning.
  5. Click Save.
Important
Important
If the ECS cluster has the trendmicro:patch-exclude=true AWS tag applied, enabling Runtime Security marks the cluster as enabled in the console but does not trigger patching of task definitions. No Container Security containers will be injected into the cluster's Fargate tasks until the tag is removed. For more information, see Exclude an Amazon ECS cluster from patching.
Note
Note
If your ECS cluster uses Bottlerocket AMI, additional configuration is required before Container Security can be deployed. See Enable Container Security on Amazon ECS Bottlerocket instances for more information.