PCC/Manage/Defenders/Deploy/Defender/Single Defender/Container Defender - App Embedded/Fargate task generates JSON unacceptable to AWS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PCC/Manage/Defenders/Deploy/Defender/Single Defender/Container Defender - App Embedded/Fargate task generates JSON unacceptable to AWS

L3 Networker

Given that I navigate to PCCConsole/Manage/Defenders/Deploy/Defender/Single Defender/Container Defender - App Embedded/Fargate task

And I paste the Fargate Task Definition JSON produced by AWS ECS

When I push the 'Generate protected task' button

And Copy Prisma's generated JSON

And Paste it into the new revision of an existing Task Definition

Then I get many error, 'Should only contain 'family', 'containerDefinitions', 'volumes', 'taskRoleArn', 'networkMode', 'requiresCompatibilities', 'cpu', 'memory', 'inferenceAccelerators', 'executionRoleArn', 'pidMode', 'ipcMode', 'proxyConfiguration', 'tags', 'runtimePlatform', 'placementConstraints'.'

And I have to eliminate json objects in order for AWS to accept the definition.

 

JSON zipped and attached; you can use a diff tool to see what JSON had to be deleted.

 

Why isn't Prisma's generated JSON acceptable to AWS?

What am I doing wrong?

Are the modifications that I made accpetable?

After making the modifications, is my Task protected?

 



Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
Tommy Hunt AWS-CSA, Java-CEA, PMP, SAFe Program Consultant
thunt@citrusoft.org
https://www.citrusoft.org
2 accepted solutions

Accepted Solutions

L3 Networker

Hi Tommy,

This happens when a task definition is exported / copied from AWS and then pasted into Compute's protected task generation field. If you copy solely the original Fargate task and use that in Compute's protected task generator, and then use the result in a new Fargate task definition, you won't receive those errors.

 

Regards,

Brandon Goldstein, Sr. Customer Success Engineer, Prisma Cloud | PCCSE, GCP PCSE

View solution in original post

L3 Networker

@CloudEngineer  dude, you were correct the whole time.  The Prisma Cloud Compute SecurityHub Alert Provider works perfectly fine.

I got misinformation from support case 02326773.  Here is how I determined that the Registry Scanned CVEs and Compliance vulnerabilities were generating Alerts and propogating them to AWS SecurityHub/Findings Console.  I entered this Filter criteria and then I could see the CVE-Alerts. 

TommyHunt_0-1667330936544.png

 

I still have NO explanation for those errors that I cited at the beginning of this

Tommy Hunt AWS-CSA, Java-CEA, PMP, SAFe Program Consultant
thunt@citrusoft.org
https://www.citrusoft.org

View solution in original post

6 REPLIES 6

L3 Networker

Hi Tommy,

This happens when a task definition is exported / copied from AWS and then pasted into Compute's protected task generation field. If you copy solely the original Fargate task and use that in Compute's protected task generator, and then use the result in a new Fargate task definition, you won't receive those errors.

 

Regards,

Brandon Goldstein, Sr. Customer Success Engineer, Prisma Cloud | PCCSE, GCP PCSE

L3 Networker

Thanks Brandon;  choosing that version of a task definition was a poor choice. Given the dynamic nature of task definitions, the task definition is always a template where fields are populated with values and the transformed json is submitted via automation, for example terraform modules or CloudFormationTemplates.  Thus the original JSON Task Definition is never seen by the developer, it is neither handled by a developer nor checked into a version-control-system. Bottom-line: unless the developer manually codes it, they can't submit the version of JSON that the API was made to consume.

Tommy Hunt AWS-CSA, Java-CEA, PMP, SAFe Program Consultant
thunt@citrusoft.org
https://www.citrusoft.org

L3 Networker

Thanks again, I am grateful for your help.

Tommy Hunt AWS-CSA, Java-CEA, PMP, SAFe Program Consultant
thunt@citrusoft.org
https://www.citrusoft.org

You're welcome! I'm happy to help. I understand your feedback and I just wanted to inform you that we do have an RFE (Request for Enhancement) process. I believe that you will just need an account in our customer support portal to submit this, The more unique company votes it receives, the more visibility it will receive.

https://prismacloud.ideas.aha.io/ideas/new

 

Regards,

Brandon Goldstein, Sr. Customer Success Engineer, Prisma Cloud | PCCSE, GCP PCSE

L3 Networker

@CloudEngineer  dude, you were correct the whole time.  The Prisma Cloud Compute SecurityHub Alert Provider works perfectly fine.

I got misinformation from support case 02326773.  Here is how I determined that the Registry Scanned CVEs and Compliance vulnerabilities were generating Alerts and propogating them to AWS SecurityHub/Findings Console.  I entered this Filter criteria and then I could see the CVE-Alerts. 

TommyHunt_0-1667330936544.png

 

I still have NO explanation for those errors that I cited at the beginning of this

Tommy Hunt AWS-CSA, Java-CEA, PMP, SAFe Program Consultant
thunt@citrusoft.org
https://www.citrusoft.org

L3 Networker

please delete, disregard that comment above; it is intended for another conversation.

Tommy Hunt AWS-CSA, Java-CEA, PMP, SAFe Program Consultant
thunt@citrusoft.org
https://www.citrusoft.org
  • 2 accepted solutions
  • 2441 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!