Securing Docker with AWS

  • View

  • Download

Embed Size (px)

Text of Securing Docker with AWS

Securing Docker with AWS

Securing Docker with AWS

Hello!I am Stephen WildingFounder of Hydras &AWS Solution Architect

You can find me at:@stephen_wilding

How To Run Docker on AWS

EC2Simply download and deploy docker directly on an EC2 Linux InstanceEC2

Elastic BeanstalkBeanstalk provides a simple application environment for developers to upload Docker images for provisioning in ECSElastic Beanstalk

EC2 Container ServiceScaleable container management service providing ability to run Docker on a managed cluster of EC2 InstancesEC2 Container Service

Building a Secure Foundation

What do you mean love?


Docker Security is GREAT

Is Docker Security Really ?

First the Good

How containers implement good security practicesContainerisationContainers provide the ability to isolate applications on the same physical or virtual host using namespaces and cgroups. Reduced Attack SurfaceThe lightweight nature of containers results in a reduced attack surface for for the application, reducing its exposurePatching Patches can be deployed fast to all layers in the container resulting in a more predictable runtime and reducing changes of outage

TransientContainers should be treated as transient meaning that they have less chance of accumulating vulnerabilities over timeControlSince a docker image is generally scripted via a dockerfile this makes it easier to control what software and data components are installedEnhanced SecurityDocker can utilise advanced security functions such as mounting filesystems read-only & implementing seccomp

Then the Bad

Image Inheritance

How Secure Is Your Container?

>30% of Docker Hub Images with Vulnerabilities


Mainly inherited from base imageLarge images containing lots of packagesDeprecated versionsOpenssl - heartbleed/poodleBash - shellshockAttacker uploads poisoned image

2. Insecure Host

Vulnerable Host = Vulnerable Containers!

And the Ugly

3. User Namespace

Although namespaces are used in docker the user namespace is not*root on container = root on hostIf a hacker breaks out (or exploits) a vulnerability in a container they can become root on the host

*Fixed in docker 1.10 (feb 2016)

4. Docker Binary

The docker binary runs as root

Is this a problem ?Users in the docker group can run the docker binaryUsers in the docker group = rootUsing docker daemon to escalate privileges locally

Mounting a host filesystem to a container means the container could update root owned files

Reducing the RiskBeing aware of the risks provides a means to attempt to remove or mitigate them

Be aware of where your images come from!Download from trusted sourcesDocker Content Trust (>v1.8)Signed Images!!AWS EC2 Container Registry (ECR)Store private imagesValidate first & storeNow available in Ireland!Build from scratchBuild all of your own images from simple baseUse minimal imageIE Alpine/BusyBox

Image Inheritance

Secure Your Docker HostCIS Benchmark for Docker

2. Insecure Host

Host ConfigurationDocker daemon configurationDocker daemon configuration filesContainer images and build filesContainer runtimeDocker security operations

Check with Docker Bench

2. Insecure Host

Opsworks + ECS

Opsworks = Configure Host (using Chef)ECS = Manage Containers

2. Insecure Host

Upgrade to Docker version 1.10 or greater* or use the latest ECS optimised AMIMaintain a security level for containersIE Do not run high security systems on the same hosts as systems of lower securityUse different ECS clustersMaintain up to date incident process

3.User Namespaces*Most general linux repos still contain older versionsECS supports Docker 1.11

Exclusively use host for dockerControl access to the host & docker groupOpsworks/ChefPlace hosts in VPC and protect with controlled bastion access and security groups

4.Docker Binary

Wrapping Up

Containerisation (Docker) has security advantages

Security quirks still existBe aware and mitigate appropriatelyImproving all the time

Use AWS features and services to aid in applying security to containersECS/Opsworks/VPC/IAM/Security Groups

Final Thoughts

Thanks!Any questions?You can find us at:w: http://hydrasit.come: info@hydrasit.comtw: @hydrasitfb: hydrasit

You can find me at:e: stephen@hydrasit.comt: @stephen_wilding