Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS re:Invent 2016: Securing Container-Based Applications (CON402)


Published on

Containers have had an incredibly large adoption rate since Docker was launched, especially from the developer community, as it provides an easy way to package, ship, and run applications. Securing your container-based application is now becoming a critical issue as applications move from development into production. In this session, you learn ways to implement storing secrets, distributing AWS privileges using IAM roles, protecting your container-based applications with vulnerability scans of container images, and incorporating automated checks into your continuous delivery workflow.

Published in: Technology
  • Be the first to comment

AWS re:Invent 2016: Securing Container-Based Applications (CON402)

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. December 2016 CON402 Securing Container-Based Applications Henrik Johansson, Security Solutions Architect, AWS Michael Capicotto, Solutions Architect, AWS
  2. 2. What to Expect from the Session OS & Container Security • Intro to container security and best practices • Container lifecycle security (including vulnerability analysis) • Managing secrets Infrastructure security • Enforce governance with Amazon ECS • Using containers to automate security deployments
  3. 3. Intro to Container Security
  4. 4. Container vs VM isolation
  5. 5. Isolation • Implemented via Linux namespaces • Weaker than VM isolation • Containers run on single kernel • Containers share files, sockets, memory areas, devices, etc.
  6. 6. Secure by default pid namespace nmt namespace net namespace uts namespace user namespace pivot_root uid/gid drop cap drop all cgroups selinux apparmor seccomp Out-of-the-box default settings and profiles Granular controls to customize settings No SSH to containers No system users Immutable infrastructure Secure by default
  7. 7. Defense through segmentation • Run containers on top of virtual instances • Keep instance and container up to date • IAM roles for tasks to restrict host permissions • Segregate containers • Role/customer • Risk/trust/exposure
  8. 8. Reduce attack surface area • Container attack surface much smaller than VM • Service, not system • Emulate drivers • VENOM attack / CVE-2015-3456 ( • Best practice: run small images • Only contain static binary • Harden the cluster instance • NIST, SANS, etc. • Use many but smaller instances to limit blast radius
  9. 9. Best practices • Limit memory, CPU allocation and resource limits • Set filesystems to be read-only • Limit container networking • Remove setuid/setgid binaries from images • Set containers to run as non-root user • Leverage Linux kernel security features
  10. 10. Setting resource limits in ECS Configured in the ECS task definition • CPU • Minimum number of CPU units to reserve for container • RAM • The number of MiB of memory reserved for container • Ulimits • Reduce for example filesize locks and memlocks allowed "ulimits": [ { "name": "core"|"cpu"|"data"|"fsize"|"locks"|"memlock"|"msgqueue"|"nice"|"nprock"… "softLimit": integer, "hardLimit": integer } ...
  11. 11. • Configured in the ECS task definition • Setting root file system to be read-only • Maps to Docker ReadOnlyRootfs and --read-only • Set volumes to be read-only Read-only filesystem access "readonlyRootFileSystem": true "mountPoints": [ { "sourceVolume": "string", "containerPath": "string", "readOnly": true } ]
  12. 12. Securing container networking • Containers should only open ports it needs • Governance on task definition • Pre deploy assessment • Know expected traffic patterns • North/South, East/West • Disable inter-container communication • Set Docker option flag --icc=false and --iptables=true • Use --link to connect containers
  13. 13. Securing container networking - • Detects threats from external and internal networks • Attacks such as DDOS and XSS on containers • Protects your container network from L3 to L7 • Detects application threats • Has built-in security policies for 30+ applications and protocols • Prevents unauthorized connections between containers • Monitors all ‘east-west’ container traffic • Integrate logs with SIEM/Log aggregator
  14. 14. Remove setuid/setgid binaries • Most apps don’t need access to setuid/setgid binaries • Remove to avoid privilege escalation attacks • Example Debian “defanged ” image Dockerfile: FROM debian:wheezy RUN find / -perm +6000 –type f -exec chmod a-s {} ; || true
  15. 15. Set a non-root user Multiple methods • Create the USER in Dockerfile • Change to the user via USER command or sudo/gosu/su • Set USER in Docker command or ECS task def Don’t use root as default!
  16. 16. Seccomp • Secure computing mode (Seccomp) is a Linux kernel feature • Supported from Docker 1.10 • Docker has default profile limiting many system calls (44 system calls out of 300+) • Can also be customized for more blocks • Can provide custom seccomp profile to containers via Docker security options
  17. 17. SELinux • Implementation of Mandatory Access Control (MAC) • Default SELinux policy for Docker designed to protect host from containers and containers from each other • Uses tag to restrict usage • Containers assigned default process type: svirt_lxc_net_t and files accessible to container: svirt_sandbox_file_t. • Policy enforces only read/execute container permissions to /usr directory • Assigns unique MCS category number to prevent cross container access to files or resources
  18. 18. Security options in ECS
  19. 19. Security options in ECS ECS_SELINUX_CAPABLE=true
  20. 20. Container Lifecycle Security
  21. 21. Lifecycle risks • Are my developers introducing new vulnerabilities during development? • Are my container images in my repository vulnerable? • Do I have a runtime defence if containers are compromised? • How do I ensure by Docker platform is secure over time?
  22. 22. Mitigation approaches • Do image vulnerability analysis in the CI/CD pipeline • Only allow developers to use “approved” images • Configuration governance • Regularly analyse images in your private repository • Only allow compliant images to run in production • Have runtime defence in place • Regular checks of Docker platform against industry benchmarks Own your repo!
  23. 23. Secure Host via Docker Bench • Recommendations provided by Center for Internet Security’s Benchmark for Docker Engine • Best practice: use Docker Bench to validate host against recommendations •
  24. 24. Run DockerBench via EC2 Run Cmd Output report to CloudWatch logs Create CloudWatch alarm on non-compliance Automating Docker Bench Invoke Lambda on schedule
  25. 25. Scan running containers for vulnerabilities in dev, test, staging, and production. • Public CVE vulnerabilities • Some application specific vulnerabilities which may or may not have CVE • Scan the host file system, not just containers • Can to tell whether the host is safe or not to load application containers. Visualize services, containers, and network behavior easily in staging and production Protects running containers against violations, threats, and vulnerabilities
  26. 26. Continuous integration
  27. 27. CI/CD pipeline / Container lifecycle CodeCommit Source Build CodePipeline Jenkins 1. Build Docker image 2. Check image for vulnerabilities 3. Push image to ECR 4. Update ECS service via CloudFormation Run Live scan
  28. 28. Managing Secrets
  29. 29. Bake into image
  30. 30. Bake into image
  31. 31. Environment variables • Suggested by 12-factor apps • Environment variables can be seen in too many places • linked containers, ECS API calls, docker inspect • Can’t be deleted
  32. 32. S3-based secrets storage • Secrets stored in S3 bucket • Accessed via IAM roles for EC2 • Enforce encryption at rest and flight via IAM policies and KMS • Use VPC endpoint for S3 to lock down access from certain VPCs
  33. 33. Third-party secrets management solutions • Vault from HashiCorp • • Keywhiz from Square • • Secrets accessed via leases • Good for Dynamic Secrets generation
  34. 34. Temporary credentials for RDS databases Vault for RDS credentials
  35. 35. Enforce Governance with ECS
  36. 36. ECS primer ECS cluster … Task 2 Task N Task 1 Task definition 1 Amazon ECR Docker images
  37. 37. Enforcing governance… is simple! Task definition controls • Which Docker images to use (app_latest) • CPU & memory allocation • Container links • Host-to-container port mappings • **NEW** IAM roles for tasks
  38. 38. IAM roles for tasks Benefits • Simplify usage of AWS SDKs in containers • Credential isolation between tasks • Authorization per task • Auditability in CloudTrail with taskArn
  39. 39. IAM roles for tasks - example Web UI Container Cluster Instance Data Insights Container ECS Task 2ECS Task 1 IAM role The old way… Amazon DynamoDB Amazon S3 Undesired permission Undesired permission
  40. 40. IAM roles for tasks - example Web UI Container Cluster Instance Data Insights Container ECS Task 2ECS Task 1 IAM Role 1 The new way! IAM Role 2 Amazon DynamoDB Amazon S3
  41. 41. IAM roles for tasks – explained 1. ECS agent periodically queries ECS control plane 2. Control plane generates ID token  Auto-rotated 3. ECS agent:  Constructs HTTP URL for each container  Sets AWS_CREDENTIALS_ENDPOINT in HostConfig 4. AWS SDK extracts URL
  42. 42. IAM roles for tasks - demo
  43. 43. Automate Security Deployments
  44. 44. Governance during continuous integration Docker image Developers Security Engineers Ops Engineers Amazon ECR Task definition
  45. 45. Governance during continuous deployment Developers Ops Engineers Security Engineers App Team Developers Ops Engineers Security Engineers InfoSec Team
  46. 46. Docker Images Web Application Host-Based Intrusion Detection Securely merge… …and deploy Governance during continuous deployment App Team InfoSec Team Task Definition Docker Images Task Definition
  47. 47. Deploying security functionality - example Rate limiting proxy Web Application Container Cluster instance Reverse-Proxy Container Outbound network access ECS Task
  48. 48. Deploying security functionality - demo
  49. 49. Why should I care? • Remove accidental conflicts • Make security processes continuous and automatic • Encapsulate software artifacts and implement controls one level up • Control changes to this framework via IAM
  50. 50. Not just containers! Amazon Machine Images (AMIs) Docker Images OS Packages Amazon EC2 Container Service AWS CloudFormation AWS CodeDeploy
  51. 51. Amazon Machine Images (AMIs) Docker Images OS Packages Amazon EC2 Container Service AWS CloudFormation AWS CodeDeploy Software Artifacts Deployment Services Not just containers!
  52. 52. Not just containers! CloudFormation Template Task Definition Application Specification File (AppSpec.yml) …applies to any deployment process.
  53. 53. Thank you!
  54. 54. Remember to complete your evaluations!