Aqua Blog

Embracing the Future: AWS Customers Leverage Fargate for ECS and EKS Deployments

Embracing the Future: AWS Customers Leverage Fargate for ECS and EKS Deployments

As organizations advance in their cloud native journey, the adoption of AWS Fargate for ECS (Elastic Container Service) and EKS (Elastic Kubernetes Service) increases. Many customers begin their cloud journey with Amazon ECS, with around 65% of new AWS container customers opting for ECS. This popularity is driven by Fargate’s serverless compute engine, which allows containers to run without managing the underlying infrastructure. Using Amazon ECS or Amazon EKS with AWS Fargate offers several advantages, making it a compelling choice for deploying and managing containerized applications. Here’s why organizations prefer ECS or EKS with Fargate: 

ECS or EKS with Fargate provides a serverless compute environment that simplifies infrastructure management, enhances security, boosts cost efficiency, and integrates seamlessly with the broader AWS ecosystem. This makes it an effective solution for organizations aiming to deploy, manage, and scale containerized applications efficiently and securely. 

The shift towards Fargate is driven by the need for greater agility, scalability, and cost-efficiency in deploying containerized applications. Dev teams want to focus on building applications, delivering with speed, agility, and security, with the ability to scale quickly and seamlessly. Containerization not only allows them to build fast but also helps create a uniform security approach across environments. The main value proposition is the automation of containers, which increases the speed and ease of testing and iterating. Additionally, containers contribute to a sustainable cloud transformation by ensuring you only pay for what you use, enhancing sustainability. Operational efficiency is also improved by reducing the burden of managing the host, which is where AWS comes in.  

By eliminating the need to provision, configure, and scale clusters of virtual machines, Fargate enables organizations to focus on building applications and services instead of managing the infrastructure. However, the widespread adoption of Fargate has also introduced new security challenges in this space.

Ensuring Application Safety in a Serverless Fargate Environment

The shared responsibility model is a fundamental concept in cloud security, delineating the division of security responsibilities between AWS and its customers. AWS assumes responsibility for securing the physical infrastructure and underlying hardware that make up the cloud environment—this is known as Security “of” the Cloud. In contrast, customers are responsible for securing everything they bring onto this infrastructure, such as customer data, code, applications, and operating systems, which is referred to as Security “in” the Cloud. 

However, a significant challenge arises from this model: customers are tasked with securing their applications and data while operating on a platform where they lack control over the underlying infrastructure. AWS addresses this by offering a suite of identity, security, compliance, and management services designed to help customers implement best practices and secure their cloud applications. To extend security across the application lifecycle, customers must utilize capabilities like runtime protection, which involves monitoring the activity of containers, collecting data on running workloads, and enforcing security policies based on predefined rules. 

The traditional approach to security heavily relies on host-based agents to monitor and protect the infrastructure. However, with services like AWS Fargate, where the host layer is abstracted away from the end user, deploying and managing these agents becomes impossible. This abstraction leads to a lack of visibility and control over the host environment, raising concerns about how to effectively safeguard applications and data in a Fargate deployment. Moreover, enforcing runtime security policies and detecting anomalies within a containerized environment becomes particularly challenging. The ephemeral nature of containers and the inaccessibility of the host layer render traditional security tools inadequate, necessitating innovative solutions that can provide comprehensive security coverage without relying on host-based agents. 

AWS Immersion Day Workshops

Pioneering the cloud native security Aqua’s patented MicroEnforcer

Aqua Security addresses these unique challenges with its patented solution, MicroEnforcer. This lightweight security module can be deployed either as a sidecar container alongside the application container or as an embedded image, rolled out during the next code push. By integrating directly into the container runtime, Aqua’s MicroEnforcer provides visibility and control over the containerized application, ensuring that security policies are enforced, and anomalies are detected in real-time. 

Initially, the solution for this security gap involved using sidecar containers, which run alongside application containers to handle security tasks. However, using sidecars doubles the number of containers required for each application, increasing computing resource costs and adding complexity. MicroEnforcer addresses these issues by offering a more efficient and integrated approach. 

MicroEnforcer provides significant advantages for securing Fargate deployments. Operating independently of the underlying infrastructure, it is ideal for environments where the host is not accessible. This capability allows organizations to maintain consistent security policies across various deployment environments, whether on-premises, in the cloud, or in a hybrid setup. 

Deploying MicroEnforcer in a Fargate environment is straightforward. It can be embedded into the container image during the build process or injected as a sidecar container in the task definition. This flexibility ensures seamless integration of security into the CI/CD pipeline, enabling continuous protection throughout the application lifecycle. 

Additionally, Aqua’s centralized management console offers a unified view of security events and policy enforcement, simplifying the management and monitoring of containerized environments. 

Securing containers to run on Fargate environments 

In conclusion, the adoption of AWS Fargate for ECS (Elastic Container Service) and EKS (Elastic Kubernetes Service) represents a significant advancement in how organizations deploy and manage containerized applications. However, it also necessitates a rethinking of traditional security models. Aqua Security’s MicroEnforcer bridges this gap, offering a powerful and flexible solution for securing Fargate environments. As the adoption of Fargate continues to grow, solutions like Aqua’s will be essential in ensuring that security keeps pace with innovation, allowing organizations to fully realize the benefits of serverless computing without compromising on protection. 

Interested in getting hands on experience by leveraging Aqua Security’s robust capabilities to confidently scale and modernize cloud native applications on AWS? Join one of our eight global Aqua Security & AWS Immersion Day Workshops to gain: 

  • Comprehensive Cloud Native Security: Learn how to deploy and configure the Aqua Platform to secure your cloud native applications, ensuring end-to-end protection from vulnerabilities to runtime threats in AWS environments like ECS and Fargate. 
  • Hands-On Experience with Aqua MicroEnforcer: Gain practical knowledge of deploying Aqua’s MicroEnforcer embedded directly into the container image, effectively safeguarding workloads without disrupting operations, and ensuring real-time runtime security. 
  • Advanced Threat Mitigation & Compliance: Discover how to leverage Aqua’s cutting-edge features such as Drift Prevention, Vulnerability Management (vShield), and forensics, helping you achieve both security and regulatory compliance.  

Register Now to reserve your spot! 

 

Ray Ganske
Ray Ganske is the AWS Alliance Lead on the business development and strategy team at Aqua Security. Before joining Aqua, Ray held key business development roles at Nintex and DocuSign, where he specialized in building partnerships with major technology companies such as Microsoft and Salesforce. His expertise extends across a broader range of partnerships within the ISV ecosystem. An Army veteran, Ray also values spending time outdoors and time with his family.