Fargate Image Scanning

Amazon Fargate is a serverless compute engine for containers that works with both Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS). It allocates the correct amount of compute resources, eliminating the need to choose instance types and scaling cluster capacity. With Fargate, you pay for the minimum resources required to run your containers. Sysdig provides the ability to scan running Fargate services for known issues, in a similar manner to how it scans Amazon ECR.

Fargate inline image scanning diagram

Any deploy command directed at ECS Fargate will trigger an image scanning event. In particular, the deploy command is detected by Amazon EventBridge, which will trigger a CodeBuild pipeline via an AWS Lambda function. It is within this CodeBuild pipeline that the image scanning runs. This is a very similar workflow to how we saw earlier with Amazon ECR scanning.

CodeBuild ephemeral pipeline

The Sysdig inline image scanner will inspect the image to be deployed and will send its metadata to the Sysdig backend. The actual image contents won’t leave the CodeBuild pipeline. The Sysdig backend then evaluates the container metadata against your security policies.

Sysdig image scan report

It will generate a scan report if the image doesn’t pass your security requirements, so you can take action.

Fargate on EKS and Admission Controller

Fargate tasks can also be deployed on Elastic Kubernetes Services clusters (EKS). For an EKS cluster, the standard cloud-native way to address security and block non-compliant deployments is to use an admission controller.

By using Sysdig Secure admission controller the same way you will do on any kind of Kubernetes cluster, you can make sure that any image deployed on Fargate for EKS, or any node of the cluster, is previously scanned for vulnerabilities, and also that it’s blocked if itsn’t compliant to your scanning policies. There are default policies for vulnerability detection and Dockerfile best practices that you can customize, or you can create your own.

Read the Sysdig documentation about admission controller for more information.

EKS admission controller diagram

Visit the AWS Workshop for hands-on training

For more information and hands-on training on this and other features of Sysdig Secure for cloud, visit the official AWS Workshop at:

sysdig.awsworkshop.io

Continue to next sections

Ready to learn more about all of the security capabilities?

Visit the Threat Detection based on CloudTrail section.
Visit the Cloud Security Posture Management and Compliance section.
Visit the ECR Image Registry Scanning section.
Visit the Fargate Image Scanning section.


Please visit any of the following sections for more information: