How to Secure AWS Containers and Use ECS for Container Security
AWS containers are growing rapidly in popularity but how to secure containers in production is still a new topic. In this video from AWS re:Invent Henrik Johansson and Michael Capicotto present how to secure containers on AWS and use AWS ECS for security and governance. We also provide a summary below.
Containers have had an incredibly large adoption rate since Docker was launched, especially from the developer community, as it provides an easy way to package, ship, and run applications. Securing your container-based application is now becoming a critical issue as applications move from development into production. In this session, you learn ways to implement storing secrets, distributing AWS privileges using IAM roles, protecting your container-based applications with vulnerability scans of container images, and incorporating automated checks into your continuous delivery workflow.
Here’s a summary of the presentation:
- Container Security Best Practices. Although containers are not as mature from a security and isolation perspective as VMs, they can be more secure by default.
Run containers on top of virtual instances
- Segregate containers
- Reduce container attack surface area
- Follow container security best practices such as limiting resource consumption, networking, and privileges
- Consider third party security such as NeuVector to visualize behavior and detect abnormal connections
- Use built-in ECS security options such as SELinux support.
- Container Lifecycle Security. Build in security throughout the lifecycle of containers, from development to build and test to production.
- Do vulnerability analysis and allow only approved images during build
- Own your own repo and regularly analyze images
- Only allow compliant images to run in production
- Have runtime defence in place
- Use tools such as Docker Bench with Lambda to automate security checks
- Build security into the entire CI/CD process including runtime.
- Use S3-based secrets storage by using an environment variable enforced by IAM policies
- Use third party secrets management solutions or build your own using S3.
- Use task definitions to control images, CPU/memory, links, ports, and IAM roles
- Use the new IAM roles definition to isolate credentials and authorization between tasks.
- Enable the security team to deploy security containers such as host intrusion detection in parallel
- Use an automation tool like Jenkins to build both application and security containers, merge both task definitions and then deploy using ECS
- Allow security teams to deploy security without having to bake it into the application image.
The benefit of being able to integrate security into the CI/CD process is that accidental conflicts are removed, developers and security teams can operate independently, and controls are more logically defined and enforced.
NeuVector provides an application and network aware container security solution which you can easily test drive and deploy, even on running applications.