ESET PRIVATE Scanning Solution – Table of Contents

Security Considerations

Copy current article URL Share via email

This article (PDF) Whole documentation (PDF)

When deploying the ESET PRIVATE Static Scanning Engine solution on AWS ECS or EKS, it is recommended to consider the following aspects to ensure proper configuration, data protection, compliance, and defense against unauthorized access, while also leveraging the solution’s no-storage privacy model:

•Public Accessibility: Public exposure of Scanner services (gRPC API endpoint) is not recommended. Deploy the solution within private VPC subnets accessible only through internal networking. If external access is required, implement an additional authentication layer such as AWS Network Load Balancer (NLB) with TLS termination and client certificate authentication, API Gateway with OAuth2 validation, or VPN or AWS PrivateLink for Scanner Agent-to-Scanner connectivity.

•Network Isolation: Place Cloud Scanner components in private subnets. Restrict Security Groups to allow:

oInbound: Scanner Agent → Scanner (gRPC port, TCP 50051).

oOutbound: Scanner(s) → ESET Update Servers (HTTPS, TCP 443).

•IAM Boundaries: Apply the ECSListReceivedLicenses / EKSListReceivedLicenses policies only to container execution roles. Avoid overly permissive policies—use AWS-managed License Manager permissions exclusively for subscription checks.

•Follow the Principle of Least Privilege:

oLimit IAM roles to license-manager:ListReceivedLicenses for subscription verification.

oContainer roles without ECR push/write access (pull-only for images).

oAvoid persistent storage volumes and rely on ephemeral storage, since scanned files are not retained.

•Data Protection:

oScanned files are never stored post-analysis, minimizing the risk of data exposure.

oEnable VPC Flow Logs and CloudTrail for audit trails.

•Container Hardening:

oUse only official ESET Docker images.

oDo not modify, nor change the content of the ESET Docker images.

oEnable Kubernetes Pod Security Standards (restricted profile) or ECS task immutability.

•Monitoring & Compliance:

oEnable AWS Config rules for IAM/ECS/EKS compliance checks.

oMonitor Metering Service calls through CloudWatch.

oRegularly rotate IAM access tokens used for Update Server connectivity (if applicable / used in your deployment).

•Update Management: Automated module downloads from ESET Update Servers ensure latest threat intelligence—maintain outbound HTTPS access without exposing inbound ports.

•General Best Practices: Follow AWS service specific security recommendations for EKS / ECS / ECR.

˄˅