Securing Docker on AWS

Docker on AWS

Securing Docker on AWS

Container Architecture – How to Secure?

Physical Hardware

Host OS

Container Runtime

Physical Hardware

Host OS

Container Runtime

Physical Hardware

Virtual Machine Manager

Container Runtime 1

Guest OS 1

Guest OS 2

Container Runtime 2

Image A

Image B

Image C

Registry

Run MyApp (4x Image A, 2x Image B, 3x Image C)

Con

tain

er 1

Con

tain

er 2

Con

tain

er 3

Con

tain

er 4

Con

tain

er 5

Con

tain

er 6

Con

tain

er 7

Con

tain

er 8

Con

tain

er 9

Microservice A Microservice C Microservice B

Orchestration

1. Deploy separate VMs or even physical hosts for separate workload types (i.e., PCI vs web traffic)

2. Bastion hosts, security groups3. Keep kernel patches up-to-date…

remember WannaCry ransomware? 4. Deploy a hardened and patched OS.5. Need a container-specific mechanism

that also takes into account image security – can’t use generic tools

6. Integrate with CI/CD pipeline7. Understand networking implications8. Embrace immutable infrastructures9. Secure all five layers in diagram at

right

Docker Adoption & Container Lifetime

= Need for Continuous Security

OS containers are not inherently unsecure, but are being deployed unsecurely, driven by developers and a need for agility in service development and deployment. Security and risk management leaders must address container security issues around vulnerabilities, visibility, compromise and compliance.

Continuous Security Assessment and Remediation for Hybrid Workloads

CI/CD System

3: CommitsCode

Public or Private

Registry

4: Sends signedimages

Staging

5: Triggers update

6: Pulls lateststable image

FeedbackLoop

FeedbackLoop

Image ScanningCavirin

BenchmarkContainer Hardening

inc. host, VM, and imageCIS Benchmarks

Production

8: Verified Container Deployed

2: Image assessed and

corrected

7: Container assessed and

corrected

Optional:Rancher & Kubernetes

DockerContent

Trust

EC2ContainerRegistry

PublicRegistry

ElasticBeanstalk

EC2 w/ Docker

EC2ContainerService

CloudFormationDocker Datacenter

Quick StartPCI DSS Quick Start

CloudTrail

1: Pulls latest signed image

OrchestrationCIS Benchmark

Direct

Develop/Build Test/Modify Release/Production

Best Practices

ReduceClutter

UseTrustedImage

SignImagesandVerify

EnforceSecretsManagement

NetworkSegmentation

UserAuthentication

OperationsGovernance

IntrusionDetection

ContainerOrchestration

ContainerNetwork

Segmentation

ContainerUserAccess

HostoperatingSystem

Containerruntime

environment