Skip to main content

Install Linux Agent with AWS Elastic Beanstalk

AWS Elastic Beanstalk allows users to easily deploy and scale their web applications. It supports multiple programming languages such as Python, Java, Node.js, and Go, and runs applications natively on an EC2 instance or as Docker containers.

Lacework agent secures your web application by deploying through AWS Elastic Beanstalk along with your application. You can deploy the Lacework agent with Elastic Beanstalk in the following ways:

  • Host deployment: Deploy the agent as part of the application setup where the agent is installed directly on the EC2 instance.
  • Multi-container deployment: Deploy the agent through Elastic Beanstalk where the application is made of multiple containers.
    • Multi-container platform on Amazon Linux AMI.
    • With Docker compose: Deploy the agent as a container side-by-side with the application containers.
    • As an ECS managed platform: Deploy the agent as part of the application setup for multiple containers to the ECS managed platform.

Host Deployment

You can deploy the Lacework agent as part of the application setup on Elastic Beanstalk. In this type of deployment, the agent is installed directly on the EC2 instance hosting the application.

Agent host deployment is suitable for an application that is deployed natively on the EC2 instance or if the application consists of a single container.

Elastic Beanstalk lets you customize and extend your application deployment through configuration files. Elastic Beanstalk configuration files are added in a .ebextensions folder within the top folder of the application you want to secure. For the Lacework agent, the agent configuration file is named lacework.config and is added in the .ebextension folder for the web application you want to deploy.

Deploy the Agent in an Elastic Beanstalk Host

  1. To deploy the Lacework agent, add the configuration file 00lacework.config in the folder .ebextensions. This .ebextension folder must be in the root application directory of the application you want to secure.

  2. Copy the following code block and paste it into your 00lacework.config configuration file.

    # .ebextensions/00lacework.config
    files:
    "/var/lib/lacework/config/config.json":
    mode: "000640"
    owner: root
    group: root
    content: |
    {"platform": "elasticbeanstalk", "tokens": {"accesstoken": "<AGENT ACCESS TOKEN>"}}

    "/tmp/lacework_install.sh":
    mode: "000700"
    owner: root
    group: root
    source: https://packages.lacework.net/install.sh

    "/tmp/lw_install.sh":
    mode: "000700"
    owner: root
    group: root
    content: |
    #!/bin/bash
    if [ ! -f /var/lib/lacework/datacollector ]; then
    /tmp/lacework_install.sh
    fi

    commands:
    00setup_lacework:
    command: "/tmp/lw_install.sh"
  3. Replace <AGENT ACCESS TOKEN> with a valid agent access token. To obtain an access token for your agent, see Create Agent Access Token. You only need to specify a server URL if you are installing Linux agent v6.6 or earlier outside the US. For more information, see Agent Server URL.

If you do not want to specify the access token in the 00lacework.config configuration file, you can store the access token securely in the Systems Manager Parameter Store and call it using a script in the 00lacework.config configuration file as shown below. Replace <REGION> in the script with your AWS region.

# .ebextensions/00lacework.config
files:
"/tmp/set_lacework_config.sh":
mode: "000640"
owner: root
group: root
content: |
#!/bin/bash
LACEWORK_ACCESS_TOKEN=$(aws ssm get-parameter \
--name lacework_access_token \
--region <REGION> \
--query 'Parameter.Value' --output text)
mkdir -p /var/lib/lacework/config
echo "{\"platform\": \"elasticbeanstalk\", \"tokens\": {\"accesstoken\": \"${LACEWORK_ACCESS_TOKEN}\"}}" > /var/lib/lacework/config/config.json
"/tmp/lacework_install.sh":
mode: "000700"
owner: root
group: root
source: https://packages.lacework.net/install.sh
"/tmp/lw_install.sh":
mode: "000700"
owner: root
group: root
content: |
#!/bin/bash
if [ ! -f /var/lib/lacework/datacollector ]; then
/tmp/set_lacework_config.sh
/tmp/lacework_install.sh
fi
commands:
00setup_lacework:
command: "/tmp/lw_install.sh"

Example: Deploy the Flask Application with the Agent as a Host

The following is an example deployment of a sample web application called Flask. This application is deployed on Elastic Beanstalk along with the agent to secure it.

Provision the Web Application for Deployment

mkdir eb-flask; cd eb-flask
pip install virtualenv
virtualenv virt
source virt/bin/activate
pip install flask==2.0.1
pip freeze > requirements.txt
# to ignore the virt directory when eb is uploading the application bundle, add the following file:
echo virt > .ebignore
mkdir .ebextensions

Configure the Agent to Deploy with the Web Application

  1. Create the agent configuration file 00lacework.config in the .ebextensions/ folder, as shown:
  .
├── .ebextensions
│ └── 00lacework.config
├── .ebignore
├── application.py
└── requirements.txt
  1. Copy the code block for the agent configuration file (listed above) and paste it into the agent configuration file 00lacework.config.
  2. Specify the access token and URL for the agent.

Configure the Application through the Elastic Beanstalk CLI to Create the Environment

eb init -p python-3.8 flask-tutorial
eb create flask-env

Alternatively, you can create the application bundle and upload it in the AWS console. Issue the following command from the application directory:

zip ../application-name.zip -r * .[^.]*

Afterwards, deploy this application by uploading it to the AWS console.

Single-Container Application

For applications consisting of a single container, you can deploy using the host deployment method where the Lacework agent is deployed as part of the application setup on Elastic Beanstalk.

To deploy with this method, see Deploy Agent in an Elastic Beanstalk Host Deployment

Multi-Container Application

For multi-container applications, you can deploy and secure it through Elastic Beanstalk by deploying using the multi-container platform supported on Amazon Linux AMI. Alternatively, you can deploy the application using Docker Compose for deployments on Amazon Linux 2 or using Dockerrun.aws.json v2 to the ECS managed platform.

Multi-Container Platform on Amazon Linux AMI

For multi-container applications using Amazon Linux AMI, you can deploy the Lacework agent as part of the application setup on Elastic Beanstalk. In this type of deployment, the agent is installed directly on the EC2 instance hosting the application. For information on how to add a Lacework agent to this kind of application, see Host Deployment.

Multi-Container Application with the Containerized Agent Using Docker Compose

For multi-container applications using Amazon Linux 2, you can deploy the Lacework agent as a container side-by-side with the application containers using Docker Compose.

Example: Deploy a Multi-Container Application with the Containerized Agent Using Docker Compose

  1. Add the agent to the Docker Compose file:
version: '2.4'
services:
php-app:
image: "php:fpm"
volumes:
- "./php-app:/var/www/html:ro"
- "${EB_LOG_BASE_DIR}/php-app:/var/log/sample-app"
mem_limit: 128m
environment:
Container: PHP
depends_on:
- lacework-datacollector
nginx-proxy:
image: "nginx"
ports:
- "80:80"
volumes:
- "./php-app:/var/www/html:ro"
- "./proxy/conf.d:/etc/nginx/conf.d:ro"
- "${EB_LOG_BASE_DIR}/nginx-proxy:/var/log/nginx"
mem_limit: 128m
links:
- php-app
lacework-datacollector:
image: lacework/datacollector:latest
pid: "host"
network_mode: "host"
privileged: true
restart: always
volumes:
- /var/lib/lacework:/var/lib/lacework
- /var/log:/var/log
- /var/run:/var/run
- /etc/passwd:/etc/passwd:ro
- /etc/group:/etc/group:ro
- /:/laceworkfim:ro
environment:
- LaceworkAccessToken=<AGENT ACCESS TOKEN>
- LaceworkServerUrl=<server URL>

where: LaceworkAccessToken is set to a valid agent access token. LaceworkServerUrl is set to the server URL appropriate to your region.

Note that Dockerrun.aws.json is not used with Docker Compose. The example application folder structure before issuing the EB CLI commands should be as follows:

  .
├── docker-compose.yml
├── php-app
│ ├── index.php
│ └── static.php
└── proxy
└── conf.d
└── default.conf
  1. Initialize the Application through the Elastic Beanstalk CLI:

    eb init -p docker php-app-secured

  2. Upload the Multi-container Application and Deploy to Elastic Beanstalk:

    eb create php-app-secured

Multi-Container Application on an ECS Managed Platform

Elastic Beanstalk supports deploying an application with multiple containers to an ECS managed platform.

  1. Configure the application through the file Dockerrun.aws.json v2.
  2. Add the Lacework agent to the ECS managed platform by adding the configuration file 00lacework.config in the folder .ebextensions. This .ebextension folder must be in the root application directory of the application you want to secure. The application folder after adding Lacework agent to the application should be as follows:
  .
├── .ebextensions
│ └── 00lacework.config
├── Dockerrun.aws.json
├── php-app
│ ├── index.php
│ └── static.php
└── proxy
└── conf.d
└── default.conf
  1. Deploy the application using the following EB CLI commands:
eb init -p ecs <application-name>
eb create <application-env-name>

Alternatively, you can create the application bundle and upload it to the AWS console. Issue the following command from the application directory:

zip ../application-name.zip -r * .[^.]*

Elastic Beanstalk creates a task definition for the application and deploys it to an ECS cluster.

Another method to deploy the agent for the multi-container application on the ECS managed platform is to add the agent container to the file Dockerrun.aws.json v2. However, this method does not enable the agent to operate in an optimal manner. Agent containers need to be privileged and run in the host network namespace and PID namespace to see all processes and connections on the system. The ECS task definition generated from Dockerrun.aws.json by Elastic Beanstalk does not provide the ability for the agent container to join the host network and PID namespaces

Limitations

Load Balancers

When using the application load balancer or classic load balancer, the client IP is not visible to the agent. The client connection is terminated on the load balancer. As a result, the load balancer uses its own private IP to forward the request to the reverse proxy (NGINX) running on the EC2 instance. The agent sees the connections between the load balancer and the reverse proxy.

If a network load balancer is used, this preserves the client IP by default. The agent is able to see client connections because they are terminated on the reverse proxy.

You can specify the load balancer type using the Elastic Beanstalk CLI or in the console:

eb create <application-env-name> --elb-type network

Local Traffic

The Lacework agent is able to see local traffic. However, for short-lived connections, the agent attributes connections to the receiving process (application server). Due to the agent being unable to determine the initiator process (NGINX) of the connections, these connections are not reported in the Lacework console under TCP - Internal Process Connection Details.

The agent cannot attribute both ends of the local connections because eBPF is not supported on Elastic Beanstalk EC2 instances. The instances are either Amazon Linux AMI or Amazon Linux 2 and come with Linux kernel 4.14. The Lacework agent supports eBPF on Linux kernel versions 4.16 and later.