This guide explains how to deploy the open-appsec Web Application Firewall (WAF) on Amazon Elastic Container Service (ECS).
The deployment process and configuration options may change based on updates to Amazon ECS and open-appsec. Please validate the latest requirements and options before deploying.
Prerequisites
For Declarative Configuration
Create a local_policy.yaml file with your desired configuration and save it in a local directory.
Use this directory in the Docker run command as <path-to-persistent-location-for-local-configuration-file>.
You can also download the default local_policy.yaml from the open-appsec GitHub repository. Full details about the file structure can be found here.
For Connecting to WebUI (SaaS)
Create an agent profile in your SaaS tenant for the open-appsec Docker deployment.
Open the ECS Console: Go to the ECS console and either create a new cluster or access an existing cluster.
Create a Cluster (Optional):
Choose a launch type.
Configure the cluster settings as needed (network, compute options, etc.).
Step 2: Create a New Task Definition
Open Task Definitions: Navigate to "Task Definitions" in the ECS console.
Create New Task Definition:
Choose EC2 or Fargate, depending on your cluster type.
Configure Infrastructure Requirements: Define the required CPU, memory, and IAM roles. Be sure to select roles that allow access to necessary AWS services and network resources.
Step 3: Define Container Settings
Add a Container Definition: In the task definition, add a container using the following details:
Image URI:ghcr.io/openappsec/agent-unified:<version>
(You can use the latest version by using :latest in place of <version>).
Port Mappings: Specify the necessary port mappings. We recommend allowing SSH communication on your deployment to help with debugging, especially if issues arise with the agent.
Volumes (Optional):
Add the following volume mounts based on your setup requirements:
<host-openappsec-logs>:/var/log/nano_agent
<host-openappsec-conf-path>:/etc/cp/conf
<host-openappsec-data-path>:/etc/cp/data
<host-certs-path>:<container-certs-path>
<host-nginx-conf-path>:/etc/nginx/conf.d
These volumes are optional but recommended for persisting logs, configurations, and data between deployments.
Environment Variables:
Add an environment variable for the WebUI token:
Key: AGENT_TOKEN
Value: <YOUR_PROFILE_TOKEN> copied from the profile created in the prerequisites
Step 4: Docker Configuration
Entry Point:
Use the following entry point for the container:
Working Directory:
Set the working directory to root:
Step 5: Run the Task
Create a Service:
After defining the task, you can launch it by creating a service in ECS. This will ensure your open-appsec WAF runs continuously, scaling based on your needs.
Verify:
Once the service is up, check the ECS logs and ensure the agent is running properly. You can also monitor logs through your defined volume mounts.
Method 2: Automated Setup via JSON Task Definition
For users who prefer automating their setup, you can use the following ECS task definition in JSON format. This option is especially useful if you are deploying multiple environments or want to automate the process.
