In AWS all ECS fargate tasks run in the “awsvpc” networking mode which means that each task gets its own Elastic Network Interface (ENI). Since each task gets an ENI, this means that a security group must also be attached to the task and we can search for this security group id using LQL. The query below will filter for any network interface that is associated to an ECS task and will return the security group associated to that ENI.
queryId: LWCustomCompliance_ECS_fargate_security_groups
queryText: |-
{
source {
LW_CFG_AWS_EC2_NETWORK_INTERFACES as interface,
array_to_rows(interface.RESOURCE_CONFIG:Groups) as groups
}
filter{
RESOURCE_ID::String in {
source {
LW_CFG_AWS_ECS_DESCRIBE_TASKS as task,
array_to_rows(task.RESOURCE_CONFIG:attachments) as attachments,
array_to_rows(attachments:details) as details
}
filter {
details:value::String like any("eni-%")
}
return {
details:value::String as eni
}
}
}
return{
RESOURCE_ID,
groups:GroupId::String as GroupID
}
}Note that this query uses “query in query” logic so it is not possible to turn this query into an alert in the platform, however this query can be run manually via the Lacework CLI or programmatically via the Lacework API.
Additionally, the output of this query is a list of ENI resource IDs and the security group ID associated. If you need to enrich this data to all include the ECS cluster ID, use the secondary query below to convert an ENI into a ECS cluster id.
queryId: LWCustomConversion_ENI_ID_to_ECS_Cluster_ID
queryText: |-
{
source {
LW_CFG_AWS_ECS_DESCRIBE_TASKS as task,
array_to_rows(task.RESOURCE_CONFIG:attachments) as attachments,
array_to_rows(attachments:details) as details
}
filter{
details:value::String like any("<ENI>")
}
return{
RESOURCE_CONFIG:clusterArn::String as ClusterID
}
}
Agent
N/A
Platform
Using Lacework/Operationalizing
Cloud
AWS