Securing Docker with AWS

https://hydrasit.com@hydrasit

Securing Docker with AWS

http://hydrasit.com/


Hello!I am Stephen Wilding

Founder of Hydras &

AWS Solution Architect

You can find me at:@stephen_wilding



How To Run Docker on AWS



EC2

Simply download and deploy docker directly on an EC2 Linux Instance EC2



Elastic Beanstalk

Beanstalk provides a simple application environment for developers to upload Docker images for provisioning in ECS

Elastic Beanstalk



EC2 Container Service

Scaleable container management service providing ability to run Docker on a managed cluster of EC2 Instances

EC2 Container Service



Building a Secure Foundation



“


What do you mean love?

It’s

Docker Security is GREAT




“


Is Docker Security Really ?




“


First the Good




How containers implement good security practices

ContainerisationContainers provide the ability to isolate applications on the same physical or virtual host using namespaces and cgroups.

Reduced Attack SurfaceThe lightweight nature of containers results in a reduced attack surface for for the application, reducing its exposure

Patching Patches can be deployed fast to all layers in the container resulting in a more predictable runtime and reducing changes of outage

TransientContainers should be treated as transient meaning that they have less chance of accumulating vulnerabilities over time

ControlSince a docker image is generally scripted via a dockerfile this makes it easier to control what software and data components are installed

Enhanced SecurityDocker can utilise advanced security functions such as mounting filesystems read-only & implementing seccomp



“


Then the Bad




1.Image Inheritance



How Secure Is Your Container?



>30% of Docker Hub Images with Vulnerabilities

Source:http://www.banyanops.com/blog/analyzing-docker-hub/



◎Mainly inherited from base image◎Large images containing lots of packages◎Deprecated versions

○Openssl - heartbleed/poodle○Bash - shellshock

◎Attacker uploads poisoned image



2. Insecure Host



Vulnerable Host = Vulnerable Containers!



“


And the Ugly




3. User Namespace



◎Although namespaces are used in docker the user namespace is not*

○root on container = root on host○If a hacker breaks out (or exploits) a vulnerability

in a container they can become root on the host

*Fixed in docker 1.10 (feb 2016)



4. Docker Binary



The docker binary runs as root



◎Is this a problem ?○Users in the “docker” group can run the docker

binary◉Users in the “docker” group = root

Using docker daemon to escalate privileges locally

○Mounting a host filesystem to a container means the container could update root owned files



Reducing the Risk

Being aware of the risks provides a means to

attempt to remove or mitigate them



Be aware of where your images come from!◎Download from trusted sources

○Docker Content Trust (>v1.8)◉Signed Images!!

○AWS EC2 Container Registry (ECR)◉Store private images

Validate first & store◉Now available in Ireland!

◎Build “from scratch”○Build all of your own images from simple base

◎Use minimal image○IE Alpine/BusyBox

1.Image Inheritance



Secure Your Docker Host◎CIS Benchmark for Docker

2. Insecure Host

1. Host Configuration2. Docker daemon configuration3. Docker daemon configuration files4. Container images and build files5. Container runtime6. Docker security operations



◎Check with “Docker Bench”

2. Insecure Host

https://github.com/docker/docker-bench-security



◎Opsworks + ECS

◎Opsworks = Configure Host (using Chef)◎ECS = Manage Containers

2. Insecure Host



◎ Upgrade to Docker version 1.10 or greater* or use the latest ECS optimised AMI

◎Maintain a security level for containers○IE Do not run high security systems on the

same hosts as systems of lower security◉Use different ECS clusters

◎Maintain up to date incident process

3. User Namespaces

*Most general linux repos still contain older versionsECS supports Docker 1.11



◎Exclusively use host for docker◎Control access to the host & docker group

○Opsworks/Chef◎Place hosts in VPC and protect with controlled

bastion access and security groups

4. Docker Binary



Wrapping Up



◎Containerisation (Docker) has security advantages

◎Security “quirks” still exist○Be aware and mitigate appropriately○Improving all the time

◎Use AWS features and services to aid in applying security to containers

○ECS/Opsworks/VPC/IAM/Security Groups

Final Thoughts


http://hydrasit.com@hydrasit

Thanks!Any questions?

You can find us at:w: http://hydrasit.come: [email protected]: @hydrasitfb: hydrasit

You can find me at:e: [email protected]: @stephen_wilding



mailto:[email protected]

mailto:[email protected]

Technology

Securing Docker with AWS