aqua-ecs-fargate

Description

This page contains instructions for creating a deployment of Aqua CSP (Cloud native Security Platform) on an Amazon ECS Fargate cluster. For high availability, you must deploy Aqua on 2 availability zones (AZs).

These instructions are applicable to all versions of Aqua CSP.

Your deployment will create these services: - Aqua Server, deployed with an Amazon Application Load Balancer - Aqua Database, created on a new Amazon RDS instance, which includes 7 days of rolling backups - Aqua Audit Database, created on a new Amazon RDS instance, which includes 7 days of rolling backups - Aqua Gateways (2), each on a separate subnet, deployed with a Network Load Balancer

In addition, it will create an IAM role for giving the Aqua Server access to ECR (Elastic Container Registry).

A CloudFormation template is used to deploy Aqua CSP. This can be done either with the AWS CloudFormation Management Console or the AWS Command Line interface, as explained below.

Requirements

• A VPC with at least 2 subnets

• A certificate via AWS Certificate Manager

• From Aqua Security: your Aqua credentials (username and password) and CSP License Token

Before deployment

1. Login to the Aqua Registry with your Aqua credentials: docker login registry.aquasec.com -u <AQUA_USERNAME> -p <AQUA_PASSWORD>

2. Pull the Aqua product images for the Server, Gateway with these commands.

` docker pull registry.aquasec.com/console:2022.4 docker pull registry.aquasec.com/gateway:2022.4 ` 3. Push all of the images to ECR.

Deployment method 1: CloudFormation Management Console

1. Click the <b>Launch Stack</b> icon at the top of this README.md file. This will take you to the <b>Create stack</b> function of the AWS CloudFormation Management Console.

2. Ensure that your AWS region is set to where you want to deploy Aqua CSP.

3. Click "Next".

4. Set or modify any of the parameters (per the explanations provided).

5. Click "Next" to create the stack.

It will typically require up to 20 minutes for Aqua CSP to be deployed. When completed, you can obtain the DNS name of the Aqua Server UI from the console output, under key name AquaConsole.

Deployment method 2: Command Line interface

1. Copy the following command:

aws --region us-east-1 cloudformation create-stack --capabilities CAPABILITY_NAMED_IAM --stack-name aqua-fargate --template-body file://aquaFargate.yaml \
--parameters ParameterKey=AquaConsoleAccess,ParameterValue=x.x.x.x/x \
ParameterKey=AquaServerImage,ParameterValue=xxxx.dkr.ecr.us-east-1.amazonaws.com/aqua:server-x.x \
ParameterKey=AquaGatewayImage,ParameterValue=xxxx.dkr.ecr.us-east-1.amazonaws.com/aqua:gateway-x.x \
ParameterKey=ClusterName,ParameterValue=xxxx \
ParameterKey=EcsInstanceSubnets,ParameterValue=\"subnet-xxxx,subnet-xxxx\" \
ParameterKey=AuditRdsInstanceClass,ParameterValue=db.t3.medium \
ParameterKey=MultiAzDatabase,ParameterValue=false \
ParameterKey=RdsInstanceClass,ParameterValue=db.t3.medium \
ParameterKey=RdsStorage,ParameterValue=50 \
ParameterKey=VpcCidr,ParameterValue=x.x.x.x/x \
ParameterKey=VpcId,ParameterValue=vpc-xxxx \
ParameterKey=LbSubnets,ParameterValue=\"subnet-xxxx,subnet-xxxx\" \
ParameterKey=LBScheme,ParameterValue=\"internet-facing\"
ParameterKey=SSLCert,ParameterValue=\"arn:aws:acm:us-east-1:1234567890:certificate/xxxxxxxxxxxx\"
ParameterKey=ActiveActive,ParameterValue=\"fasle\"

1. Set the parameters as follows:

2. Run the AWS create-stack CLI command.

It will typically require up to 20 minutes for your stack to be created and deployed. When completed, you can obtain the DNS name of the Aqua Server UI from the console output, under key name AquaConsole.

Active-Active Deployment

For Active-Active configuration select option yes in activeactive parameter while creating the stack.

Split DB deployment

Having a seprate DB for audit events is an optional parameter. Select Yes for AuditRDS parameter if you would like to create a separate RDS instance otherwise select No to use single RDS instance both. Default value for AuditRDS (or split DB) is No.

External DB (Managed DB)

If you have an existing PostgreSQL database and want to use the same for aqua deployment, use the cloudformation template aquaFargate-external.yaml.

None SSL Deployment

Deployment

If you want to deploy CSP without SSL certificate, use the cloudformation template aquaFargate-noneSSL.yaml.

External DB

If you have an existing PostgreSQL database and want to use the same for aqua deployment, use the cloudformation template aquaFargate-noneSSL-external.yaml.

MicroEnforcer Deployment

AWS Fargate is a Container as a Service (CaaS) enviornment and you can deploy aqua microenforcer to provide runtime security to the containers deployed in AWS Fargate. Please refer to the the microenforcer docuemntation for more details. https://docs.aquasec.com/v2022.4/docs/microenforcer

Cloud Connector Deployment

The Aqua Cloud Connector is used in conjunction with Aqua Platform SaaS Edition (Enterprise Plan) deployments. https://docs.aquasec.com/docs/aqua-cloud-connector

Version upgrade

To upgrade your Aqua CSP version, modify the existing stack with the new Aqua product images.