CrowdStrike Image Sync & ECS Patcher

A comprehensive toolkit for CrowdStrike Falcon sensor deployment in AWS environments. This project provides two complementary tools for automating CrowdStrike sensor integration with containerized workloads.

Overview

This toolkit streamlines the complete workflow for deploying CrowdStrike Falcon sensors in AWS ECS environments:

1. Image Sync: Automatically synchronizes CrowdStrike sensor images from CrowdStrike's registry to your AWS ECR repositories
2. ECS Patcher: Patches existing ECS task definitions to integrate CrowdStrike sensors using the official container pattern

Architecture

┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
│   CrowdStrike   │    │   AWS ECR       │    │   ECS Tasks     │
│    Registry     │───▶│  Repositories   │───▶│  (Patched)      │
│                 │    │                 │    │                 │
│ • falcon-sensor │    │ • falcon-sensor │    │ • Init Pattern  │
│ • falcon-container    │ • falcon-container    │ • Multi-Arch    │
│ • falcon-kac    │    │ • falcon-kac    │    │ • Auto Config   │
└─────────────────┘    └─────────────────┘    └─────────────────┘
      image-sync              │                    ecs-patcher
      (Step 1)                │                    (Step 2)
                              ▼
                    ┌─────────────────┐
                    │ Sensor Updates  │
                    │   Available     │
                    └─────────────────┘

Tools

🔄 Image Sync (image-sync/)

Purpose: Synchronize CrowdStrike sensor images to AWS ECR

Key Features:

• Multi-sensor support: falcon-sensor, falcon-container, falcon-kac
• Multi-region deployment: us-1, us-2, us-gov-1
• OAuth2 authentication with CrowdStrike API
• Auto-region discovery for optimal API performance
• Secure credential storage with AWS Secrets Manager
• Comprehensive logging and error handling
• ECR lifecycle management with configurable retention

Quick Start:

cd image-sync/
./setup-credentials.sh  # Interactive setup
cs-image-sync sync-images --dry-run
cs-image-sync sync-images

⚙️ ECS Patcher (ecs-patcher/)

Purpose: Patch ECS task definitions with CrowdStrike sensor integration

Key Features:

• Official fcs-cli integration: Uses CrowdStrike's official CLI for reliable and consistent patching
• Smart discovery: Finds and filters ECS task definitions automatically
• Multi-architecture support: X86_64 and ARM64 with automatic configuration
• Configuration-driven: YAML-based configuration with flexible filtering
• Service automation: Automatically updates ECS services after patching
• Validation: Ensures patched definitions meet CrowdStrike requirements
• Backup system: Automatic backup of original task definitions

Quick Start:

cd ecs-patcher/
# Install fcs-cli from CrowdStrike console first
ecs-patcher validate-system      # Check requirements
# Edit ecs-patcher.yaml with your configuration
ecs-patcher list-candidates
ecs-patcher patch-tasks --dry-run
ecs-patcher patch-tasks

Complete Workflow

1. Initial Setup

# Set up image synchronization
cd image-sync/
./setup-credentials.sh

# Configure ECS patching
cd ../ecs-patcher/
cp ecs-patcher.yaml.example ecs-patcher.yaml
# Edit ecs-patcher.yaml with your settings

2. Sync CrowdStrike Images

cd image-sync/
cs-image-sync sync-images

3. Patch ECS Task Definitions

cd ../ecs-patcher/

# Validate system requirements (including fcs-cli)
ecs-patcher validate-system

ecs-patcher patch-tasks --dry-run  # Test first
ecs-patcher patch-tasks            # Apply patches

4. Verify Deployment

# Check patched task definitions
ecs-patcher show-services arn:aws:ecs:region:account:task-definition/family:revision

# Monitor running tasks
aws ecs list-tasks --cluster your-cluster --family your-family

Architecture Support

Both tools support multi-architecture deployments:

X86_64 (Intel/AMD)

• Traditional x86_64 architecture
• Uses /lib64 library paths
• Compatible with most existing infrastructure

ARM64 (AWS Graviton)

• Modern ARM64 architecture (AWS Graviton, Apple Silicon)
• Uses /lib library paths
• Cost-effective and energy-efficient

Configuration: Specify architecture in your ECS patcher configuration:

crowdstrike:
  architecture: "ARM64"  # or "X86_64"

Security Features

🔐 Automatic Credential Protection

• Log scrubbing: Prevents credentials from appearing in logs
• AWS Secrets Manager: Secure credential storage with rotation support
• Multi-layer protection: Security at logging, display, and storage levels

🛡️ Container Security

• Read-only root filesystem for init containers
• Minimal privileges with targeted capabilities
• Secure volume mounts with proper permissions

Configuration Examples

Image Sync Configuration

# ~/.cs-image-sync.yaml
crowdstrike:
  use_secrets_manager: true
  secret_name: "crowdstrike-api-credentials-us-1"
  cloud: "us-1"

aws:
  region: "ca-central-1"
  profile: "your-profile"

sync:
  sensor_types:
    - falcon-sensor
    - falcon-container
    - falcon-kac
  retention_days: 30
  max_images_per_type: 2

ECS Patcher Configuration

# ecs-patcher.yaml
crowdstrike:
  image_uri: "123456789012.dkr.ecr.ca-central-1.amazonaws.com/crowdstrike/falcon-container:latest"
  customer_id: "your-customer-id-here"
  architecture: "ARM64"
  sensor_tags: "Environment:Production,Team:Security"

task_filter:
  family_patterns:
    - "web-*"
    - "api-*"
  exclude_patterns:
    - "*-test"
    - "*-staging"

patching:
  backup_definitions: true
  update_services: true
  validate_after_patch: true

Requirements

System Dependencies

• fcs-cli: CrowdStrike's official Falcon Container Security CLI (required for ECS patcher)
• Python 3.8+: Runtime environment
• AWS CLI: For AWS service interactions

AWS Permissions

Both tools require appropriate AWS permissions:

• ECR: Repository access for image operations
• ECS: Task definition and service management
• Secrets Manager: Credential storage (image-sync)
• Logs: CloudWatch logs access

CrowdStrike API

• API Client ID & Secret with appropriate permissions
• Customer ID for sensor configuration
• fcs-cli: Download from CrowdStrike console for ECS patching

Monitoring & Troubleshooting

Common Issues

1. Architecture Mismatch

   TaskFailedToStart: exec format error
   

   Solution: Ensure image architecture matches task definition architecture

2. Missing Images

   CannotPullContainerError: not found
   

   Solution: Run image-sync first to populate ECR repositories

3. Authentication Errors

   UnauthorizedOperation
   

   Solution: Verify AWS credentials and CrowdStrike API access

Debug Commands

# Image sync debugging
cs-image-sync --log-level DEBUG validate

# ECS patcher debugging
ecs-patcher --log-level DEBUG list-candidates

Advanced Usage

Automated CI/CD Integration

# In your CI/CD pipeline
cs-image-sync sync-images --sensor-type falcon-container
ecs-patcher patch-tasks --family-pattern "production-*"

Multi-Region Deployment

# Sync to multiple regions
for region in us-east-1 us-west-2 eu-west-1; do
  cs-image-sync -c config-${region}.yaml sync-images
done

Custom Filtering

# Target specific environments
ecs-patcher patch-tasks \
  --family-pattern "web-*" \
  --cluster-pattern "production-*" \
  --exclude-pattern "*-test"

Documentation

• Image Sync: Detailed documentation in image-sync/README.md
• ECS Patcher: Detailed documentation in ecs-patcher/README.md

Support

• Security: See image-sync/SECURITY.md for security features
• Credentials: See image-sync/CREDENTIAL-SETUP.md for setup guide
• Examples: Configuration examples in image-sync/docs/examples/

License

MIT License - see individual tool directories for details.