https://hydrasit.com@hydrasit
Hello!I am Stephen Wilding
Founder of Hydras &
AWS Solution Architect
You can find me at:@stephen_wilding
https://hydrasit.com@hydrasit
EC2
Simply download and deploy docker directly on an EC2 Linux Instance EC2
https://hydrasit.com@hydrasit
Elastic Beanstalk
Beanstalk provides a simple application environment for developers to upload Docker images for provisioning in ECS
Elastic Beanstalk
https://hydrasit.com@hydrasit
EC2 Container Service
Scaleable container management service providing ability to run Docker on a managed cluster of EC2 Instances
EC2 Container Service
https://hydrasit.com@hydrasit
“
https://hydrasit.com@hydrasit
What do you mean love?
It’s
Docker Security is GREAT
https://hydrasit.com@hydrasit
“
https://hydrasit.com@hydrasit
Is Docker Security Really ?
https://hydrasit.com@hydrasit
“
https://hydrasit.com@hydrasit
First the Good
https://hydrasit.com@hydrasit
How containers implement good security practices
ContainerisationContainers provide the ability to isolate applications on the same physical or virtual host using namespaces and cgroups.
Reduced Attack SurfaceThe lightweight nature of containers results in a reduced attack surface for for the application, reducing its exposure
Patching Patches can be deployed fast to all layers in the container resulting in a more predictable runtime and reducing changes of outage
TransientContainers should be treated as transient meaning that they have less chance of accumulating vulnerabilities over time
ControlSince a docker image is generally scripted via a dockerfile this makes it easier to control what software and data components are installed
Enhanced SecurityDocker can utilise advanced security functions such as mounting filesystems read-only & implementing seccomp
https://hydrasit.com@hydrasit
“
https://hydrasit.com@hydrasit
Then the Bad
https://hydrasit.com@hydrasit
>30% of Docker Hub Images with Vulnerabilities
Source:http://www.banyanops.com/blog/analyzing-docker-hub/
https://hydrasit.com@hydrasit
◎Mainly inherited from base image◎Large images containing lots of packages◎Deprecated versions
○Openssl - heartbleed/poodle○Bash - shellshock
◎Attacker uploads poisoned image
https://hydrasit.com@hydrasit
“
https://hydrasit.com@hydrasit
And the Ugly
https://hydrasit.com@hydrasit
◎Although namespaces are used in docker the user namespace is not*
○root on container = root on host○If a hacker breaks out (or exploits) a vulnerability
in a container they can become root on the host
*Fixed in docker 1.10 (feb 2016)
https://hydrasit.com@hydrasit
◎Is this a problem ?○Users in the “docker” group can run the docker
binary◉Users in the “docker” group = root
Using docker daemon to escalate privileges locally
○Mounting a host filesystem to a container means the container could update root owned files
https://hydrasit.com@hydrasit
Reducing the Risk
Being aware of the risks provides a means to
attempt to remove or mitigate them
https://hydrasit.com@hydrasit
Be aware of where your images come from!◎Download from trusted sources
○Docker Content Trust (>v1.8)◉Signed Images!!
○AWS EC2 Container Registry (ECR)◉Store private images
Validate first & store◉Now available in Ireland!
◎Build “from scratch”○Build all of your own images from simple base
◎Use minimal image○IE Alpine/BusyBox
1.Image Inheritance
https://hydrasit.com@hydrasit
Secure Your Docker Host◎CIS Benchmark for Docker
2. Insecure Host
1. Host Configuration2. Docker daemon configuration3. Docker daemon configuration files4. Container images and build files5. Container runtime6. Docker security operations
https://hydrasit.com@hydrasit
◎Check with “Docker Bench”
2. Insecure Host
https://github.com/docker/docker-bench-security
https://hydrasit.com@hydrasit
◎Opsworks + ECS
◎Opsworks = Configure Host (using Chef)◎ECS = Manage Containers
2. Insecure Host
https://hydrasit.com@hydrasit
◎ Upgrade to Docker version 1.10 or greater* or use the latest ECS optimised AMI
◎Maintain a security level for containers○IE Do not run high security systems on the
same hosts as systems of lower security◉Use different ECS clusters
◎Maintain up to date incident process
3. User Namespaces
*Most general linux repos still contain older versionsECS supports Docker 1.11
https://hydrasit.com@hydrasit
◎Exclusively use host for docker◎Control access to the host & docker group
○Opsworks/Chef◎Place hosts in VPC and protect with controlled
bastion access and security groups
4. Docker Binary
https://hydrasit.com@hydrasit
◎Containerisation (Docker) has security advantages
◎Security “quirks” still exist○Be aware and mitigate appropriately○Improving all the time
◎Use AWS features and services to aid in applying security to containers
○ECS/Opsworks/VPC/IAM/Security Groups
Final Thoughts
http://hydrasit.com@hydrasit
Thanks!Any questions?
You can find us at:w: http://hydrasit.come: [email protected]: @hydrasitfb: hydrasit
You can find me at:e: [email protected]: @stephen_wilding