This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PCC/Manage/Defenders/Deploy/Defender/Single Defender/Container Defender - App Embedded/Fargate task generates JSON unacceptable to AWS

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PCC/Manage/Defenders/Deploy/Defender/Single Defender/Container Defender - App Embedded/Fargate task generates JSON unacceptable to AWS

Go to solution
TommyHunt
L3 Networker

‎10-12-2022 02:27 PM

Given that I navigate to PCCConsole/Manage/Defenders/Deploy/Defender/Single Defender/Container Defender - App Embedded/Fargate task

And I paste the Fargate Task Definition JSON produced by AWS ECS

When I push the 'Generate protected task' button

And Copy Prisma's generated JSON

And Paste it into the new revision of an existing Task Definition

Then I get many error, 'Should only contain 'family', 'containerDefinitions', 'volumes', 'taskRoleArn', 'networkMode', 'requiresCompatibilities', 'cpu', 'memory', 'inferenceAccelerators', 'executionRoleArn', 'pidMode', 'ipcMode', 'proxyConfiguration', 'tags', 'runtimePlatform', 'placementConstraints'.'

And I have to eliminate json objects in order for AWS to accept the definition.

 

JSON zipped and attached; you can use a diff tool to see what JSON had to be deleted.

 

Why isn't Prisma's generated JSON acceptable to AWS?

What am I doing wrong?

Are the modifications that I made accpetable?

After making the modifications, is my Task protected?

 



Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
Tommy Hunt AWS-CSA, Java-CEA, PMP, SAFe Program Consultant
thunt@citrusoft.org
https://www.citrusoft.org
spring-petclinic.zip
0 Likes Likes
2 accepted solutions

Accepted Solutions

Go to solution
CloudEngineer
L3 Networker

‎10-13-2022 06:51 AM

Hi Tommy,

This happens when a task definition is exported / copied from AWS and then pasted into Compute's protected task generation field. If you copy solely the original Fargate task and use that in Compute's protected task generator, and then use the result in a new Fargate task definition, you won't receive those errors.

 

Regards,

Brandon Goldstein, Sr. Customer Success Engineer, Prisma Cloud | PCCSE, GCP PCSE

View solution in original post

0 Likes Likes

Go to solution
TommyHunt
L3 Networker

‎11-01-2022 12:29 PM

@CloudEngineer  dude, you were correct the whole time.  The Prisma Cloud Compute SecurityHub Alert Provider works perfectly fine.

I got misinformation from support case 02326773.  Here is how I determined that the Registry Scanned CVEs and Compliance vulnerabilities were generating Alerts and propogating them to AWS SecurityHub/Findings Console.  I entered this Filter criteria and then I could see the CVE-Alerts. 

TommyHunt_0-1667330936544.png

 

I still have NO explanation for those errors that I cited at the beginning of this

Tommy Hunt AWS-CSA, Java-CEA, PMP, SAFe Program Consultant
thunt@citrusoft.org
https://www.citrusoft.org

View solution in original post

0 Likes Likes
6 REPLIES 6

Go to solution
CloudEngineer
L3 Networker

‎10-13-2022 06:51 AM

Hi Tommy,

This happens when a task definition is exported / copied from AWS and then pasted into Compute's protected task generation field. If you copy solely the original Fargate task and use that in Compute's protected task generator, and then use the result in a new Fargate task definition, you won't receive those errors.

 

Regards,

Brandon Goldstein, Sr. Customer Success Engineer, Prisma Cloud | PCCSE, GCP PCSE
0 Likes Likes

Go to solution
TommyHunt
L3 Networker

‎10-13-2022 11:50 AM

Thanks Brandon;  choosing that version of a task definition was a poor choice. Given the dynamic nature of task definitions, the task definition is always a template where fields are populated with values and the transformed json is submitted via automation, for example terraform modules or CloudFormationTemplates.  Thus the original JSON Task Definition is never seen by the developer, it is neither handled by a developer nor checked into a version-control-system. Bottom-line: unless the developer manually codes it, they can't submit the version of JSON that the API was made to consume.

Tommy Hunt AWS-CSA, Java-CEA, PMP, SAFe Program Consultant
thunt@citrusoft.org
https://www.citrusoft.org
0 Likes Likes

Go to solution
TommyHunt
L3 Networker

‎10-13-2022 11:52 AM

Thanks again, I am grateful for your help.

Tommy Hunt AWS-CSA, Java-CEA, PMP, SAFe Program Consultant
thunt@citrusoft.org
https://www.citrusoft.org
0 Likes Likes

Go to solution
CloudEngineer
L3 Networker
In response to TommyHunt

‎10-14-2022 07:42 AM

You're welcome! I'm happy to help. I understand your feedback and I just wanted to inform you that we do have an RFE (Request for Enhancement) process. I believe that you will just need an account in our customer support portal to submit this, The more unique company votes it receives, the more visibility it will receive.

https://prismacloud.ideas.aha.io/ideas/new

 

Regards,

Brandon Goldstein, Sr. Customer Success Engineer, Prisma Cloud | PCCSE, GCP PCSE

Go to solution
TommyHunt
L3 Networker

‎11-01-2022 12:29 PM

@CloudEngineer  dude, you were correct the whole time.  The Prisma Cloud Compute SecurityHub Alert Provider works perfectly fine.

I got misinformation from support case 02326773.  Here is how I determined that the Registry Scanned CVEs and Compliance vulnerabilities were generating Alerts and propogating them to AWS SecurityHub/Findings Console.  I entered this Filter criteria and then I could see the CVE-Alerts. 

TommyHunt_0-1667330936544.png

 

I still have NO explanation for those errors that I cited at the beginning of this

Tommy Hunt AWS-CSA, Java-CEA, PMP, SAFe Program Consultant
thunt@citrusoft.org
https://www.citrusoft.org
0 Likes Likes

Go to solution
TommyHunt
L3 Networker

‎11-01-2022 12:33 PM

please delete, disregard that comment above; it is intended for another conversation.

Tommy Hunt AWS-CSA, Java-CEA, PMP, SAFe Program Consultant
thunt@citrusoft.org
https://www.citrusoft.org
  • 2 accepted solutions
  • 3306 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks