Securing Docker with AWS

  • View
    785

  • Download
    0

Embed Size (px)

Text of Securing Docker with AWS

Securing Docker with AWS

Securing Docker with AWS

https://hydrasit.com@hydrasit

Hello!I am Stephen WildingFounder of Hydras &AWS Solution Architect

You can find me at:@stephen_wilding

https://hydrasit.com@hydrasit

How To Run Docker on AWS

https://hydrasit.com@hydrasit

EC2Simply download and deploy docker directly on an EC2 Linux InstanceEC2

https://hydrasit.com@hydrasit

Elastic BeanstalkBeanstalk provides a simple application environment for developers to upload Docker images for provisioning in ECSElastic Beanstalk

https://hydrasit.com@hydrasit

EC2 Container ServiceScaleable container management service providing ability to run Docker on a managed cluster of EC2 InstancesEC2 Container Service

https://hydrasit.com@hydrasit

Building a Secure Foundation

https://hydrasit.com@hydrasit

What do you mean love?

Its

Docker Security is GREAT

https://hydrasit.com@hydrasit

https://hydrasit.com@hydrasit

Is Docker Security Really ?

https://hydrasit.com@hydrasit

https://hydrasit.com@hydrasit

First the Good

https://hydrasit.com@hydrasit

https://hydrasit.com@hydrasit

How containers implement good security practicesContainerisationContainers provide the ability to isolate applications on the same physical or virtual host using namespaces and cgroups. Reduced Attack SurfaceThe lightweight nature of containers results in a reduced attack surface for for the application, reducing its exposurePatching Patches can be deployed fast to all layers in the container resulting in a more predictable runtime and reducing changes of outage

TransientContainers should be treated as transient meaning that they have less chance of accumulating vulnerabilities over timeControlSince a docker image is generally scripted via a dockerfile this makes it easier to control what software and data components are installedEnhanced SecurityDocker can utilise advanced security functions such as mounting filesystems read-only & implementing seccomp

https://hydrasit.com@hydrasit

Then the Bad

https://hydrasit.com@hydrasit

https://hydrasit.com@hydrasit

Image Inheritance

https://hydrasit.com@hydrasit

How Secure Is Your Container?

https://hydrasit.com@hydrasit

>30% of Docker Hub Images with Vulnerabilities

Source:http://www.banyanops.com/blog/analyzing-docker-hub/

https://hydrasit.com@hydrasit

Mainly inherited from base imageLarge images containing lots of packagesDeprecated versionsOpenssl - heartbleed/poodleBash - shellshockAttacker uploads poisoned image

https://hydrasit.com@hydrasit

2. Insecure Host

https://hydrasit.com@hydrasit

Vulnerable Host = Vulnerable Containers!

https://hydrasit.com@hydrasit

And the Ugly

https://hydrasit.com@hydrasit

https://hydrasit.com@hydrasit

3. User Namespace

https://hydrasit.com@hydrasit

Although namespaces are used in docker the user namespace is not*root on container = root on hostIf a hacker breaks out (or exploits) a vulnerability in a container they can become root on the host

*Fixed in docker 1.10 (feb 2016)

https://hydrasit.com@hydrasit

4. Docker Binary

https://hydrasit.com@hydrasit

The docker binary runs as root

https://hydrasit.com@hydrasit

Is this a problem ?Users in the docker group can run the docker binaryUsers in the docker group = rootUsing docker daemon to escalate privileges locally

Mounting a host filesystem to a container means the container could update root owned files

https://hydrasit.com@hydrasit

Reducing the RiskBeing aware of the risks provides a means to attempt to remove or mitigate them

https://hydrasit.com@hydrasit

Be aware of where your images come from!Download from trusted sourcesDocker Content Trust (>v1.8)Signed Images!!AWS EC2 Container Registry (ECR)Store private imagesValidate first & storeNow available in Ireland!Build from scratchBuild all of your own images from simple baseUse minimal imageIE Alpine/BusyBox

Image Inheritance

https://hydrasit.com@hydrasit

Secure Your Docker HostCIS Benchmark for Docker

2. Insecure Host

Host ConfigurationDocker daemon configurationDocker daemon configuration filesContainer images and build filesContainer runtimeDocker security operations

https://hydrasit.com@hydrasit

Check with Docker Bench

2. Insecure Host

https://github.com/docker/docker-bench-security

https://hydrasit.com@hydrasit

Opsworks + ECS

Opsworks = Configure Host (using Chef)ECS = Manage Containers

2. Insecure Host

https://hydrasit.com@hydrasit

Upgrade to Docker version 1.10 or greater* or use the latest ECS optimised AMIMaintain a security level for containersIE Do not run high security systems on the same hosts as systems of lower securityUse different ECS clustersMaintain up to date incident process

3.User Namespaces*Most general linux repos still contain older versionsECS supports Docker 1.11

https://hydrasit.com@hydrasit

Exclusively use host for dockerControl access to the host & docker groupOpsworks/ChefPlace hosts in VPC and protect with controlled bastion access and security groups

4.Docker Binary

https://hydrasit.com@hydrasit

Wrapping Up

https://hydrasit.com@hydrasit

Containerisation (Docker) has security advantages

Security quirks still existBe aware and mitigate appropriatelyImproving all the time

Use AWS features and services to aid in applying security to containersECS/Opsworks/VPC/IAM/Security Groups

Final Thoughts

https://hydrasit.com@hydrasit

Thanks!Any questions?You can find us at:w: http://hydrasit.come: info@hydrasit.comtw: @hydrasitfb: hydrasit

You can find me at:e: stephen@hydrasit.comt: @stephen_wilding

http://hydrasit.com@hydrasit