We are excited to introduce a significant new capability in the Upwind Cloud Security Platform – support for AWS Fargate for Amazon Elastic Container Service (ECS). This capability demonstrates our continuing commitment to security for containerized workloads, with support for both ECS deployment models within the AWS ecosystem.
At Upwind, we have consistently heard from customers that the market lacks quality, deep real-time protection for ECS Fargate. We crafted our Fargate support with industry-leading performance & functionality, providing customers with a simple, streamlined way to provide robust, real-time security for ECS workloads, both for EC2 and Fargate deployments. Fargate benefits customers by abstracting away the undifferentiated heavy lifting of managing infrastructure for microservices architectures and bursty workloads – but this necessitates a new approach to runtime monitoring.
Introducing “Upwind-ptrace”
ECS Fargate’s abstraction layer does not provide access to the underlying hardware or operating system and lacks support for eBPF, which Upwind uses in its sensors for monitoring VM and other containerized orchestration layers (including ECS on EC2). We solved this challenge with a new technology we call “Upwind-ptrace.” Upwind-ptrace is a highly tuned & customized monitoring technology designed specifically for AWS Fargate environments. It leverages the core functionality of the Linux ptrace command but tailors it for Fargate’s performance and security needs.
Using ptrace has typically meant a significant performance impact and noise from sifting through all the system calls, but the Upwind-ptrace was intentionally designed to achieve deep visibility into Fargate tasks while minimizing overhead. It does this with several innovative techniques, including dynamically filtering out unnecessary system calls, focusing only on those critical for runtime security. Additionally, Upwind-ptrace utilizes batched processing and reduced data copying to optimize performance in resource-constrained Fargate environments. The result is a powerful tracing solution that offers comprehensive security without sacrificing performance.
Benefits for AWS Fargate Users
Fargate users can now leverage Upwind’s industry-leading capabilities to ensure robust protection across AWS Fargate deployments across three main layers of your application stack:
- Network: The Upwind-ptrace monitors all network traffic in real time, actively monitoring all ECS cluster communication, as well as all the communicating resources under it.
- Process: The Upwind-ptrace monitors every process execution and file activity in real time, actively monitoring for potential threats or anomalies.
- Workload Container Images: Upwind scans all ECS container images in your registry and correlates that information with workload runtime context, actively monitoring real-time environmental variables such as if a package is in use or receiving communication from the Internet.
By actively protecting and monitoring these important aspects of applications & infrastructure, Upwind is able to provide comprehensive protection for AWS Fargate. Upwind users will be able to see this information & findings in the following areas of the Upwind Platform:
- Threat Detection: Be alerted to Detect any threats to AWS Fargate in real time, and view all related events or detections in Upwind’s Threats Tab. You can view detailed root cause analysis for each finding, along with the ability to respond to threats in real time.
- Vulnerability Management: Detect vulnerabilities associated with AWS Fargate resources in real time, as well as receiving deep prioritization information through the Upwind Vulnerability Funnel. Easily identify which Fargate vulnerabilities should be prioritized for remediation based on Upwind’s correlation of runtime data and real environmental variables, such as resources that contain sensitive data, packages that are in use, and resources that are actively communicating with the Internet.
- Inventory: Discover all ECS clusters and all workloads running on EC2 & Fargate in the Inventory Tab. You can also view compute data for ECS services in the Compute Tab and view all running and scanned images in the Images Tab.
- Upwind Topology Map: View ECS clusters and all communicating resources under them in the Upwind Topology Map, including real-time network communication and any associated resource risk overviews.
With this release, AWS Fargate users are able to leverage Upwind’s industry-leading runtime protection, making it easy to protect all of your cloud infrastructure from one comprehensive security platform .
Learn More
Want to learn more about Upwind’s support for AWS Fargate? Visit the Upwind Documentation Center (login required) or schedule a demo.
