SlideShare a Scribd company logo

Secure_Container_Workload.pdf

Yu-Lin Huang
Yu-Lin Huang

A guideline to secure container workload.

Engineering
1 of 21
Download to read offline
Secure Container Workload
2 Secure Container Workload Contents 1. Container architecture 2. Container security layers 3. Image security 4. Container orchestration security 5. Container scanning via Amazon Elastic Container Registry Scan 6. Container scanning via Amazon Inspector 7. Implement security patch in container
3 Secure Container Workload Document Revisions Date Description 2022/12/02 First publication by Kimi Huang
4 Secure Container Workload 1. Container architecture What are containers? Containers are lightweight packages of your application code together with dependencies such as specific versions of programming language runtimes and libraries required to run your software services. (Defined by Google Cloud) Figure 1 shows the architecture of virtual machines and containers. The key differentiator between containers and virtual machines is that virtual machines virtualize an entire machine down to the hardware layers and containers only virtualize software layers above the operating system level. Figure 1. Containers vs Virtual Machines
5 Secure Container Workload 2. Container security layers Figure 2 shows the architecture of container security layers. The container security layers can split to 4 layers: Host OS, Container Orchestration, Container, and Application. Host OS: The Host OS could be an Amazon Machine Image (AMI) installed on Amazon Elastic Compute Cloud instance (Amazon EC2) or an operation system installed on your On-Premises environment. Container Orchestration: There are many tools to establish a Container Orchestration. OpenShift developed by RedHat, Kubernetes developed by CNCF, or Amazon Elastic Container Service (ECS) developed by Amazon Web Service. Container: Containers are a form of operating system virtualization. You can use Docker or Podman as a container engine to build a container with Dockerfile. Application: Bundled the application dependencies, libraries, and configuration files need to run to a container. All these 4 layers have different life cycle you need to take care to update with latest patch. Figure 2.The architecture of container security layers
6 Secure Container Workload 3. Image security 3.1 Base image To build a container image we always use a base image as a baseline. This base image might come from an untrust image repository. Choice a trust image repository with latest patch version to keep your container image up to date. Figure 3 presented a python official image repository authorized by Docker Hub. Figure 3. Python official image repository of Docker Hub It’s good practice to use “minimal” images, which are as small in size as possible (which is a good advantage anyway), and contain as few tools as possible. Minimal images go even beyond what “size-optimized” images (such as alpine or <something>:<version>-slim, e.g. python:3.8-slim) do: they come without any package manager. This makes it hard for an attacker to load additional tools. 3.2 Permission of container Container run as root user by default. To avoid use root user we can add configuration in Dockerfile to build a container image. Figure 4 presented an example how to use non-root permission in Dockerfile.
7 Secure Container Workload Figure 4. An example using non-root permission 3.3 Credentials in container Your application might need a credentials to interactive with other services or applications. Figure 5 shows a bad practices to store credentials in container. The attacker can get those credentials without your approval once your container compromised. Figure 5. An example using credentials
8 Secure Container Workload You can use container orchestration to pass credentials to container avoid hard code credentials in container level. Most of AWS services provide pass credentials via a secure way. For example, Amazon Elastic Container Service (ECS) provide using AWS Systems Manager Parameter Store to expose credentials to container. Figure 6 presented an example to use AWS Systems Manager Parameter Store expose credentials to AWS Batch container Figure 6. AWS Batch secret configuration Figure 7 presented an example to use Kubernetes Secret inject credentials to container
9 Secure Container Workload Figure 7. Kubernetes secret configuration 3.4 Least privilege in container orchestration Kubernetes provide Security Context configuration to let you defines privilege and access control settings for a Pod or Container. Figure 8 presented an example to use Kubernetes security context define least privilege for a container.
10 Secure Container Workload Figure 8. Kubernetes security context configuration For accessing AWS services in Kubernetes, you can define a least privilege in Service Account. Figure 9 presented an AWS IAM policy to restrict access a specific S3 bucket.
11 Secure Container Workload Figure 9. AWS IAM policy for accessing specific S3 bucket Figure 10 presented an AWS IAM role for Amazon Elastic Kubernetes Service (EKS). Using this IAM role configuration to let your EKS cluster assume via EKS OICD. Any access permissions for AWS services can be definied as an IAM policy attached to this role.
12 Secure Container Workload Figure 10. AWS IAM role for Amazon Elastic Kubernetes Service (EKS) Figure 11 presented an example to use a Service Account for a container to restrict only specific S3 bucket can be accessed.
13 Secure Container Workload Figure 11. Using Service Account in Kubernetes
14 Secure Container Workload 4. Container orchestration security Take Kubernetes as an example, Kubernetes release new version quarterly. Those releases include CVE security patch as well. Keep update latest Kubernetes version to your production environment with fully protection capacity. In AWS cloud, you can use Amazon Elastic Container Service (ECS) or Amazon Elastic Kubernetes Service (EKS) as container orchestration. Please visit below link for latest release version information of ECS and EKS: 1. Release of Amazon Elastic Container Service (ECS) 2. Release of Amazon Elastic Kubernetes Service (EKS)
15 Secure Container Workload 5. Container scanning via Amazon Elastic Container Registry Scan What is Container Scanning? Container scanning, or container image scanning, is the process and scanning tools used to identify vulnerabilities within containers and their components. It’s key to container security and enables developers and cybersecurity teams to fix security threats in containerized applications before deployment. (Defined by Snyk) A famous open-source tool for vulnerability static analysis in containers called Trivy can help you implement container scanning. In AWS cloud you don’t have to establish infrastructure resources for container scanning. Amazon Elastic Container Registry (ECR) provide native container scanning feature without any infrastructure establish. Container scanning is disabled by default, you need to enable container scan for your Elastic Container Registry. There two kind of scan types in ECR: Basic scanning and Enhanced scanning. Basic scanning: There is no additional cost for basic scanning. It uses the Common Vulnerabilities and Exposures (CVEs) database from the open- source Clair project to scan your container image. Enhanced scanning: Enhanced scanning is an integration with Amazon Inspector which provides vulnerability scanning for your container images. Your container images are scanned for both operating systems and programing language package vulnerabilities. There is additional cost for enhance scanning, please see the pricing model of Amazon Inspector. Figure 12 presented a vulnerability finding list scanned via ECR basic scanning. There are 6 severity rating in the list. Every CVE number has a hyperlink page to let you know the detail information include package name, description, fixed version, etc., please see Figure 13 as an example.
16 Secure Container Workload Figure 12. A vulnerability list of container image scanned via ECR basic scanning Figure 13. CVE information page Follow the fixed version information provided by CVE page to patch the package version in your container.
17 Secure Container Workload 6. Container scanning via Amazon Inspector Amazon Inspector is an automated vulnerability management service that continually scans Amazon Elastic Compute Cloud (EC2), AWS Lambda functions, and container workloads for software vulnerabilities and unintended network exposure. As section 5 mentioned Amazon Inspector provide ECR Enhanced scanning for both operating systems and programing language package vulnerabilities. When enable Amazon Inspector your ECR repository will set to Enhanced scanning with Continuously scan mode. You can change the scan mode to Lifetime (continuously), 180 Day, and 30 Day in Amazon Inspector - ECR re-scan duration configuration. Figure 14 presented a Dockerfile with log4j package vulnerability impact version. Use this Dockerfile to build a container image and scan software vulnerability via Amazon Inspector. Figure 14. Dockerfile to build a container image with log4j package vulnerability impact version Figure 15 presented the container scan report of a log4j package vulnerability impact container image via Amazon Inspector. It provides different severity rating for you same as ECR – basic scan type. In the finding list, you can see a lot log4j package vulnerabilities. Pick a critical issue as example.
18 Secure Container Workload Figure 16 presented the detail information of this vulnerability issue. In this page you can see the vulnerability issue is related with what CVE number and which fixed package version number. That information can help you to fix this vulnerability. Figure 15. Amazon Inspector container scan finding report
19 Secure Container Workload Figure 16. Detail information of a vulnerability issue
20 Secure Container Workload 7. Implement security patch in container In section 6 found a container contain log4j package vulnerability with version 2.14.1. From the information of vulnerability issue page, this CVE (CVE-2021-44228) is fixed in log4j package version 2.16.0. Let’s update the log4j to latest version 2.19.0 in Dockerfile (Figure 17) and build a new container push to ECR registry. Amazon Inspector will scan the new container automatically after pushing container to ECR registry. Figure 17. Patching log4j package in Dockerfile The new finding report of Amazon Inspector presented in Figure 18. The result show that CRITICAL, HIGH, and MEDIUM CVE issues have been fixed by updating log4j package to version 2.19.0. In this case we use a log4j vulnerability package as an example to show how to implement a security patch in container image. Using this approach to update your container image with latest CVE patching. Keep patching your container image as a best practice to gain maximum protection capacity.
21 Secure Container Workload Figure 18. Amazon Inspector container scan finding report after log4j package patching

Recommended

Ultimate Guide to Incident Response in AWS.pdf
Ultimate Guide to Incident Response in AWS.pdfUltimate Guide to Incident Response in AWS.pdf
Ultimate Guide to Incident Response in AWS.pdfChristopher Doman
 
Different methods for aws integration with jenkins
Different methods for aws integration with jenkinsDifferent methods for aws integration with jenkins
Different methods for aws integration with jenkinsTarek Ali
 
Running Docker Containers on AWS
Running Docker Containers on AWSRunning Docker Containers on AWS
Running Docker Containers on AWSVladimir Simek
 
Integrating security testing into your container build pipeline - SDD308 - AW...
Integrating security testing into your container build pipeline - SDD308 - AW...Integrating security testing into your container build pipeline - SDD308 - AW...
Integrating security testing into your container build pipeline - SDD308 - AW...Amazon Web Services
 
Dockerized .Net Core based app services in azure K8s
Dockerized .Net Core based app services in azure K8s Dockerized .Net Core based app services in azure K8s
Dockerized .Net Core based app services in azure K8s Ranjeet Bhargava
 
Amazon ECS Deep Dive
Amazon ECS Deep DiveAmazon ECS Deep Dive
Amazon ECS Deep DiveAmazon Web Services
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)DataArt
 
Advanced Container Security
Advanced Container Security Advanced Container Security
Advanced Container Security Amazon Web Services
 

Recommended

Ultimate Guide to Incident Response in AWS.pdf
Ultimate Guide to Incident Response in AWS.pdfUltimate Guide to Incident Response in AWS.pdf
Ultimate Guide to Incident Response in AWS.pdfChristopher Doman
 
Different methods for aws integration with jenkins
Different methods for aws integration with jenkinsDifferent methods for aws integration with jenkins
Different methods for aws integration with jenkinsTarek Ali
 
Running Docker Containers on AWS
Running Docker Containers on AWSRunning Docker Containers on AWS
Running Docker Containers on AWSVladimir Simek
 
Integrating security testing into your container build pipeline - SDD308 - AW...
Integrating security testing into your container build pipeline - SDD308 - AW...Integrating security testing into your container build pipeline - SDD308 - AW...
Integrating security testing into your container build pipeline - SDD308 - AW...Amazon Web Services
 
Dockerized .Net Core based app services in azure K8s
Dockerized .Net Core based app services in azure K8s Dockerized .Net Core based app services in azure K8s
Dockerized .Net Core based app services in azure K8s Ranjeet Bhargava
 
Amazon ECS Deep Dive
Amazon ECS Deep DiveAmazon ECS Deep Dive
Amazon ECS Deep DiveAmazon Web Services
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)DataArt
 
Advanced Container Security
Advanced Container Security Advanced Container Security
Advanced Container Security Amazon Web Services
 
Building and Deploying a Static Application using Jenkins and Docker in AWS
Building and Deploying a Static Application using Jenkins and Docker in AWSBuilding and Deploying a Static Application using Jenkins and Docker in AWS
Building and Deploying a Static Application using Jenkins and Docker in AWSijtsrd
 
Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2
Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2
Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2white paper
 
Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2
Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2
Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2white paper
 
Overview of Docker
Overview of DockerOverview of Docker
Overview of DockerGauranG Bajpai
 
Build containerized application using Docker and Azure.pdf
Build containerized application using Docker and Azure.pdfBuild containerized application using Docker and Azure.pdf
Build containerized application using Docker and Azure.pdfHamida Rebai Trabelsi
 
SEC301 - New AWS security services for container threat detection - final.pdf
SEC301 - New AWS security services for container threat detection - final.pdfSEC301 - New AWS security services for container threat detection - final.pdf
SEC301 - New AWS security services for container threat detection - final.pdfJean-François LOMBARDO
 
Amazon ECS Container Service Deep Dive
Amazon ECS Container Service Deep DiveAmazon ECS Container Service Deep Dive
Amazon ECS Container Service Deep DiveAmazon Web Services
 
February 2016 Webinar Series - EC2 Container Service Deep Dive
February 2016 Webinar Series - EC2 Container Service Deep Dive February 2016 Webinar Series - EC2 Container Service Deep Dive
February 2016 Webinar Series - EC2 Container Service Deep Dive Amazon Web Services
 
Amazon cloudtutorial
Amazon cloudtutorialAmazon cloudtutorial
Amazon cloudtutorialChris Buenaventura
 
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB201904_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019Kumton Suttiraksiri
 
AWS essentials EC2
AWS essentials EC2AWS essentials EC2
AWS essentials EC2mustafa sarac
 
CoSolvent Community Server : Amazon Web Services Hosting ...
CoSolvent Community Server : Amazon Web Services Hosting ...CoSolvent Community Server : Amazon Web Services Hosting ...
CoSolvent Community Server : Amazon Web Services Hosting ...webhostingguy
 
AWS CodeDeploy
AWS CodeDeploy AWS CodeDeploy
AWS CodeDeploy Ratan Das
 
Architecting Cloud Apps
Architecting Cloud AppsArchitecting Cloud Apps
Architecting Cloud Appsjineshvaria
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKESreenivas Makam
 
Scaling drupal horizontally and in cloud
Scaling drupal horizontally and in cloudScaling drupal horizontally and in cloud
Scaling drupal horizontally and in cloudVladimir Ilic
 
Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집Amazon Web Services Korea
 
(APP201) Going Zero to Sixty with AWS Elastic Beanstalk | AWS re:Invent 2014
(APP201) Going Zero to Sixty with AWS Elastic Beanstalk | AWS re:Invent 2014(APP201) Going Zero to Sixty with AWS Elastic Beanstalk | AWS re:Invent 2014
(APP201) Going Zero to Sixty with AWS Elastic Beanstalk | AWS re:Invent 2014Amazon Web Services
 
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECSWeaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECSWeaveworks
 
Securing Containerized Workloads on Amazon ECs
Securing Containerized Workloads on Amazon ECsSecuring Containerized Workloads on Amazon ECs
Securing Containerized Workloads on Amazon ECsRavindu Fernando
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130Suhani Kapoor
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝soniya singh
 

More Related Content

Similar to Secure_Container_Workload.pdf

Building and Deploying a Static Application using Jenkins and Docker in AWS
Building and Deploying a Static Application using Jenkins and Docker in AWSBuilding and Deploying a Static Application using Jenkins and Docker in AWS
Building and Deploying a Static Application using Jenkins and Docker in AWSijtsrd
 
Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2
Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2
Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2white paper
 
Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2
Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2
Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2white paper
 
Build containerized application using Docker and Azure.pdf
Build containerized application using Docker and Azure.pdfBuild containerized application using Docker and Azure.pdf
Build containerized application using Docker and Azure.pdfHamida Rebai Trabelsi
 
SEC301 - New AWS security services for container threat detection - final.pdf
SEC301 - New AWS security services for container threat detection - final.pdfSEC301 - New AWS security services for container threat detection - final.pdf
SEC301 - New AWS security services for container threat detection - final.pdfJean-François LOMBARDO
 
Amazon ECS Container Service Deep Dive
Amazon ECS Container Service Deep DiveAmazon ECS Container Service Deep Dive
Amazon ECS Container Service Deep DiveAmazon Web Services
 
February 2016 Webinar Series - EC2 Container Service Deep Dive
February 2016 Webinar Series - EC2 Container Service Deep Dive February 2016 Webinar Series - EC2 Container Service Deep Dive
February 2016 Webinar Series - EC2 Container Service Deep Dive Amazon Web Services
 
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB201904_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019Kumton Suttiraksiri
 
CoSolvent Community Server : Amazon Web Services Hosting ...
CoSolvent Community Server : Amazon Web Services Hosting ...CoSolvent Community Server : Amazon Web Services Hosting ...
CoSolvent Community Server : Amazon Web Services Hosting ...webhostingguy
 
AWS CodeDeploy
AWS CodeDeploy AWS CodeDeploy
AWS CodeDeploy Ratan Das
 
Architecting Cloud Apps
Architecting Cloud AppsArchitecting Cloud Apps
Architecting Cloud Appsjineshvaria
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKESreenivas Makam
 
Scaling drupal horizontally and in cloud
Scaling drupal horizontally and in cloudScaling drupal horizontally and in cloud
Scaling drupal horizontally and in cloudVladimir Ilic
 
Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집Amazon Web Services Korea
 
(APP201) Going Zero to Sixty with AWS Elastic Beanstalk | AWS re:Invent 2014
(APP201) Going Zero to Sixty with AWS Elastic Beanstalk | AWS re:Invent 2014(APP201) Going Zero to Sixty with AWS Elastic Beanstalk | AWS re:Invent 2014
(APP201) Going Zero to Sixty with AWS Elastic Beanstalk | AWS re:Invent 2014Amazon Web Services
 
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECSWeaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECSWeaveworks
 
Securing Containerized Workloads on Amazon ECs
Securing Containerized Workloads on Amazon ECsSecuring Containerized Workloads on Amazon ECs
Securing Containerized Workloads on Amazon ECsRavindu Fernando
 

Similar to Secure_Container_Workload.pdf (20)

Building and Deploying a Static Application using Jenkins and Docker in AWS
Building and Deploying a Static Application using Jenkins and Docker in AWSBuilding and Deploying a Static Application using Jenkins and Docker in AWS
Building and Deploying a Static Application using Jenkins and Docker in AWS
 
Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2
Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2
Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2
 
Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2
Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2
Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2
 
Overview of Docker
Overview of DockerOverview of Docker
Overview of Docker
 
Build containerized application using Docker and Azure.pdf
Build containerized application using Docker and Azure.pdfBuild containerized application using Docker and Azure.pdf
Build containerized application using Docker and Azure.pdf
 
SEC301 - New AWS security services for container threat detection - final.pdf
SEC301 - New AWS security services for container threat detection - final.pdfSEC301 - New AWS security services for container threat detection - final.pdf
SEC301 - New AWS security services for container threat detection - final.pdf
 
Amazon ECS Container Service Deep Dive
Amazon ECS Container Service Deep DiveAmazon ECS Container Service Deep Dive
Amazon ECS Container Service Deep Dive
 
February 2016 Webinar Series - EC2 Container Service Deep Dive
February 2016 Webinar Series - EC2 Container Service Deep Dive February 2016 Webinar Series - EC2 Container Service Deep Dive
February 2016 Webinar Series - EC2 Container Service Deep Dive
 
Amazon cloudtutorial
Amazon cloudtutorialAmazon cloudtutorial
Amazon cloudtutorial
 
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB201904_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
 
AWS essentials EC2
AWS essentials EC2AWS essentials EC2
AWS essentials EC2
 
CoSolvent Community Server : Amazon Web Services Hosting ...
CoSolvent Community Server : Amazon Web Services Hosting ...CoSolvent Community Server : Amazon Web Services Hosting ...
CoSolvent Community Server : Amazon Web Services Hosting ...
 
AWS CodeDeploy
AWS CodeDeploy AWS CodeDeploy
AWS CodeDeploy
 
Architecting Cloud Apps
Architecting Cloud AppsArchitecting Cloud Apps
Architecting Cloud Apps
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKE
 
Scaling drupal horizontally and in cloud
Scaling drupal horizontally and in cloudScaling drupal horizontally and in cloud
Scaling drupal horizontally and in cloud
 
Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
 
(APP201) Going Zero to Sixty with AWS Elastic Beanstalk | AWS re:Invent 2014
(APP201) Going Zero to Sixty with AWS Elastic Beanstalk | AWS re:Invent 2014(APP201) Going Zero to Sixty with AWS Elastic Beanstalk | AWS re:Invent 2014
(APP201) Going Zero to Sixty with AWS Elastic Beanstalk | AWS re:Invent 2014
 
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECSWeaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECS
 
Securing Containerized Workloads on Amazon ECs
Securing Containerized Workloads on Amazon ECsSecuring Containerized Workloads on Amazon ECs
Securing Containerized Workloads on Amazon ECs
 

Recently uploaded

VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130Suhani Kapoor
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝soniya singh
 
microprocessor 8085 and its interfacing
microprocessor 8085 and its interfacingmicroprocessor 8085 and its interfacing
microprocessor 8085 and its interfacingjaychoudhary37
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfAsst.prof M.Gokilavani
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidNikhilNagaraju
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxwendy cai
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfAsst.prof M.Gokilavani
 
GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSCAESB
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxDeepakSakkari2
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionDr.Costas Sachpazis
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoão Esperancinha
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSKurinjimalarL3
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
power system scada applications and uses
power system scada applications and usespower system scada applications and uses
power system scada applications and usesDevarapalliHaritha
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxpurnimasatapathy1234
 

Recently uploaded (20)

VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
 
microprocessor 8085 and its interfacing
microprocessor 8085 and its interfacingmicroprocessor 8085 and its interfacing
microprocessor 8085 and its interfacing
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfid
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptx
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
 
GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentation
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptx
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
power system scada applications and uses
power system scada applications and usespower system scada applications and uses
power system scada applications and uses
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
 

Secure_Container_Workload.pdf

  • 2. 2 Secure Container Workload Contents 1. Container architecture 2. Container security layers 3. Image security 4. Container orchestration security 5. Container scanning via Amazon Elastic Container Registry Scan 6. Container scanning via Amazon Inspector 7. Implement security patch in container
  • 3. 3 Secure Container Workload Document Revisions Date Description 2022/12/02 First publication by Kimi Huang
  • 4. 4 Secure Container Workload 1. Container architecture What are containers? Containers are lightweight packages of your application code together with dependencies such as specific versions of programming language runtimes and libraries required to run your software services. (Defined by Google Cloud) Figure 1 shows the architecture of virtual machines and containers. The key differentiator between containers and virtual machines is that virtual machines virtualize an entire machine down to the hardware layers and containers only virtualize software layers above the operating system level. Figure 1. Containers vs Virtual Machines
  • 5. 5 Secure Container Workload 2. Container security layers Figure 2 shows the architecture of container security layers. The container security layers can split to 4 layers: Host OS, Container Orchestration, Container, and Application. Host OS: The Host OS could be an Amazon Machine Image (AMI) installed on Amazon Elastic Compute Cloud instance (Amazon EC2) or an operation system installed on your On-Premises environment. Container Orchestration: There are many tools to establish a Container Orchestration. OpenShift developed by RedHat, Kubernetes developed by CNCF, or Amazon Elastic Container Service (ECS) developed by Amazon Web Service. Container: Containers are a form of operating system virtualization. You can use Docker or Podman as a container engine to build a container with Dockerfile. Application: Bundled the application dependencies, libraries, and configuration files need to run to a container. All these 4 layers have different life cycle you need to take care to update with latest patch. Figure 2.The architecture of container security layers
  • 6. 6 Secure Container Workload 3. Image security 3.1 Base image To build a container image we always use a base image as a baseline. This base image might come from an untrust image repository. Choice a trust image repository with latest patch version to keep your container image up to date. Figure 3 presented a python official image repository authorized by Docker Hub. Figure 3. Python official image repository of Docker Hub It’s good practice to use “minimal” images, which are as small in size as possible (which is a good advantage anyway), and contain as few tools as possible. Minimal images go even beyond what “size-optimized” images (such as alpine or <something>:<version>-slim, e.g. python:3.8-slim) do: they come without any package manager. This makes it hard for an attacker to load additional tools. 3.2 Permission of container Container run as root user by default. To avoid use root user we can add configuration in Dockerfile to build a container image. Figure 4 presented an example how to use non-root permission in Dockerfile.
  • 7. 7 Secure Container Workload Figure 4. An example using non-root permission 3.3 Credentials in container Your application might need a credentials to interactive with other services or applications. Figure 5 shows a bad practices to store credentials in container. The attacker can get those credentials without your approval once your container compromised. Figure 5. An example using credentials
  • 8. 8 Secure Container Workload You can use container orchestration to pass credentials to container avoid hard code credentials in container level. Most of AWS services provide pass credentials via a secure way. For example, Amazon Elastic Container Service (ECS) provide using AWS Systems Manager Parameter Store to expose credentials to container. Figure 6 presented an example to use AWS Systems Manager Parameter Store expose credentials to AWS Batch container Figure 6. AWS Batch secret configuration Figure 7 presented an example to use Kubernetes Secret inject credentials to container
  • 9. 9 Secure Container Workload Figure 7. Kubernetes secret configuration 3.4 Least privilege in container orchestration Kubernetes provide Security Context configuration to let you defines privilege and access control settings for a Pod or Container. Figure 8 presented an example to use Kubernetes security context define least privilege for a container.
  • 10. 10 Secure Container Workload Figure 8. Kubernetes security context configuration For accessing AWS services in Kubernetes, you can define a least privilege in Service Account. Figure 9 presented an AWS IAM policy to restrict access a specific S3 bucket.
  • 11. 11 Secure Container Workload Figure 9. AWS IAM policy for accessing specific S3 bucket Figure 10 presented an AWS IAM role for Amazon Elastic Kubernetes Service (EKS). Using this IAM role configuration to let your EKS cluster assume via EKS OICD. Any access permissions for AWS services can be definied as an IAM policy attached to this role.
  • 12. 12 Secure Container Workload Figure 10. AWS IAM role for Amazon Elastic Kubernetes Service (EKS) Figure 11 presented an example to use a Service Account for a container to restrict only specific S3 bucket can be accessed.
  • 13. 13 Secure Container Workload Figure 11. Using Service Account in Kubernetes
  • 14. 14 Secure Container Workload 4. Container orchestration security Take Kubernetes as an example, Kubernetes release new version quarterly. Those releases include CVE security patch as well. Keep update latest Kubernetes version to your production environment with fully protection capacity. In AWS cloud, you can use Amazon Elastic Container Service (ECS) or Amazon Elastic Kubernetes Service (EKS) as container orchestration. Please visit below link for latest release version information of ECS and EKS: 1. Release of Amazon Elastic Container Service (ECS) 2. Release of Amazon Elastic Kubernetes Service (EKS)
  • 15. 15 Secure Container Workload 5. Container scanning via Amazon Elastic Container Registry Scan What is Container Scanning? Container scanning, or container image scanning, is the process and scanning tools used to identify vulnerabilities within containers and their components. It’s key to container security and enables developers and cybersecurity teams to fix security threats in containerized applications before deployment. (Defined by Snyk) A famous open-source tool for vulnerability static analysis in containers called Trivy can help you implement container scanning. In AWS cloud you don’t have to establish infrastructure resources for container scanning. Amazon Elastic Container Registry (ECR) provide native container scanning feature without any infrastructure establish. Container scanning is disabled by default, you need to enable container scan for your Elastic Container Registry. There two kind of scan types in ECR: Basic scanning and Enhanced scanning. Basic scanning: There is no additional cost for basic scanning. It uses the Common Vulnerabilities and Exposures (CVEs) database from the open- source Clair project to scan your container image. Enhanced scanning: Enhanced scanning is an integration with Amazon Inspector which provides vulnerability scanning for your container images. Your container images are scanned for both operating systems and programing language package vulnerabilities. There is additional cost for enhance scanning, please see the pricing model of Amazon Inspector. Figure 12 presented a vulnerability finding list scanned via ECR basic scanning. There are 6 severity rating in the list. Every CVE number has a hyperlink page to let you know the detail information include package name, description, fixed version, etc., please see Figure 13 as an example.
  • 16. 16 Secure Container Workload Figure 12. A vulnerability list of container image scanned via ECR basic scanning Figure 13. CVE information page Follow the fixed version information provided by CVE page to patch the package version in your container.
  • 17. 17 Secure Container Workload 6. Container scanning via Amazon Inspector Amazon Inspector is an automated vulnerability management service that continually scans Amazon Elastic Compute Cloud (EC2), AWS Lambda functions, and container workloads for software vulnerabilities and unintended network exposure. As section 5 mentioned Amazon Inspector provide ECR Enhanced scanning for both operating systems and programing language package vulnerabilities. When enable Amazon Inspector your ECR repository will set to Enhanced scanning with Continuously scan mode. You can change the scan mode to Lifetime (continuously), 180 Day, and 30 Day in Amazon Inspector - ECR re-scan duration configuration. Figure 14 presented a Dockerfile with log4j package vulnerability impact version. Use this Dockerfile to build a container image and scan software vulnerability via Amazon Inspector. Figure 14. Dockerfile to build a container image with log4j package vulnerability impact version Figure 15 presented the container scan report of a log4j package vulnerability impact container image via Amazon Inspector. It provides different severity rating for you same as ECR – basic scan type. In the finding list, you can see a lot log4j package vulnerabilities. Pick a critical issue as example.
  • 18. 18 Secure Container Workload Figure 16 presented the detail information of this vulnerability issue. In this page you can see the vulnerability issue is related with what CVE number and which fixed package version number. That information can help you to fix this vulnerability. Figure 15. Amazon Inspector container scan finding report
  • 19. 19 Secure Container Workload Figure 16. Detail information of a vulnerability issue
  • 20. 20 Secure Container Workload 7. Implement security patch in container In section 6 found a container contain log4j package vulnerability with version 2.14.1. From the information of vulnerability issue page, this CVE (CVE-2021-44228) is fixed in log4j package version 2.16.0. Let’s update the log4j to latest version 2.19.0 in Dockerfile (Figure 17) and build a new container push to ECR registry. Amazon Inspector will scan the new container automatically after pushing container to ECR registry. Figure 17. Patching log4j package in Dockerfile The new finding report of Amazon Inspector presented in Figure 18. The result show that CRITICAL, HIGH, and MEDIUM CVE issues have been fixed by updating log4j package to version 2.19.0. In this case we use a log4j vulnerability package as an example to show how to implement a security patch in container image. Using this approach to update your container image with latest CVE patching. Keep patching your container image as a best practice to gain maximum protection capacity.
  • 21. 21 Secure Container Workload Figure 18. Amazon Inspector container scan finding report after log4j package patching