AWS Dependency Services
This section catalogs all AWS services required for deploying ESET PRIVATE Static Scanning Engine on EKS or ECS platforms, organized by shared dependencies and platform-specific requirements. The tables detail each service's purpose and its relationship to the scanner deployment, IAM roles/policies, networking, and validation workflows from the provided guides.
Shared Services (EKS & ECS)
Service |
Purpose |
Relationship |
|---|---|---|
AWS Marketplace |
Product discovery, subscription and metering. |
Users subscribe to the ESET PRIVATE Static Scanning Engine here; enables license validation (ListReceivedLicenses) and usage reporting (RegisterUsage) via Metering APIs. |
Container Registry (Amazon ECR) |
Stores and distributes Docker images for Scanner components. |
Both platforms pull images (e.g., 709825985650.dkr.ecr...). Requires AmazonECSTaskExecutionRolePolicy + ECR read permissions. |
AWS License Manager |
Tracks received licenses and subscription status. |
Scanner calls ListReceivedLicenses via IRSA to verify active subscription. |
AWS Marketplace Metering Service |
Tracks subscription usage metrics for billing and compliance tracking. |
Marketplace subscription metric used to monitor and bill Scanner solution runtime costs based on actual user usage. |
Amazon CloudWatch Logs |
Centralized logging for troubleshooting. |
EKS: Pod stdout → Logs via sidecar. ECS: awslogs driver to /ecs/scanner group. Essential for license/metering verification. |
ESET Update Servers |
Delivers continuously updated malware signatures, definitions, and scanning modules. |
Scanner downloads periodically; requires outbound HTTPS to *.eset.com. Without connectivity and successful downloads, core detection functions fail. |
EKS-Specific Services
Required for Kubernetes-based deployments using IRSA credential injection.
Service |
Purpose |
Relationship |
|---|---|---|
IAM Policy & Roles
EKS policy name: EKSListReceivedLicenses |
Secure AWS API access. |
Custom EKSListReceivedLicenses + AWSMarketplaceMeteringRegisterUsage attached to IRSA marketplace-sa in marketplace namespace.
Missing policy block scanner launch and license checks. |
IAM Roles for Service Accounts (IRSA) |
Pod-level AWS credential injection. |
eksctl create iamserviceaccount → Scanner pod: provisions marketplace-sa with policies above.
Scanner pod uses serviceAccountName: marketplace-sa for API calls.
Requires cluster OIDC provider. |
Amazon EKS |
Managed Kubernetes orchestrator for Scanner deployment. |
Minimum single-node cluster with OIDC for IRSA. Deploys Scanner deployment + ClusterIP Service on ports 50051/50053. |
ECS-Specific Services
Required for Fargate serverless deployments with task IAM roles and external NLB exposure.
Service |
Purpose |
Relationship |
|---|---|---|
IAM Policy & Roles
ECS policy name: ECSListReceivedLicenses |
Secure AWS API access. |
Custom ECSListReceivedLicenses + AWSMarketplaceMeteringRegisterUsage attached to task role ecs-scanner-task-role; execution role ecs-scanner-execution-role for ECR/Logs.
Missing policy block scanner launch and license checks. |
Amazon ECS |
Managed container orchestrator (Fargate/EC2). |
Fargate tasks (awsvpc mode, 1 vCPU/2GB) + service with NLB integration.
No IRSA needed. |
Elastic Load Balancing (NLB) |
External access to scanner. |
TCP listener port 50051 → IP target group. Public endpoint for agent validation (${NLB_DNS}:50051). |
VPC / Security Groups |
Network isolation/access control. |
Default VPC subnets + scanner-sg (inbound TCP/50051 from 0.0.0.0/0, public IP enabled). |
|
Only services explicitly listed in the tables above are mandatory for ESET PRIVATE Scanning Engine deployment on AWS EKS/ECS. Anything not listed is not required, though customer-specific implementations and integrations may vary based on unique use cases, additional networking, monitoring, or custom configurations. |
