Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS 컨테이너 환경에서의 보안
최인영
솔루션즈 아키텍트
Amazon Web Services
AWS온라인이벤트–클라우드보안특집

강연 중 질문하는 방법
오른쪽의 “Questions/질문” 창에 질문을
남겨주세요. 본인만 답변을 받고 싶으신 경우,
(비공개)라고 하고 질문해 주시면 됩니다.
본 컨텐츠는 고객의 편의를 위해 AWS 서비스 설명을 위해 온라인 세미나용으로 별도로 제작, 제공된 것입니다. 만약 AWS
사이트와 컨텐츠 상에서 차이나 불일치가 있을 경우, AWS 사이트(aws.amazon.com)가 우선합니다. 또한 AWS 사이트
상에서 한글 번역문과 영어 원문에 차이나 불일치가 있을 경우(번역의 지체로 인한 경우 등 포함), 영어 원문이 우선합니다.
AWS는 본 컨텐츠에 포함되거나 컨텐츠를 통하여 고객에게 제공된 일체의 정보, 콘텐츠, 자료, 제품(소프트웨어 포함) 또는 서비스를 이용함으로 인하여 발생하는 여하한 종류의 손해에
대하여 어떠한 책임도 지지 아니하며, 이는 직접 손해, 간접 손해, 부수적 손해, 징벌적 손해 및 결과적 손해를 포함하되 이에 한정되지 아니합니다.
고지 사항(Disclaimer)

Agenda
Images & Registries
Network Security
Authentication & Authorization
Runtime Protection
Advanced Features

Containers Concept Review: History
chroot – The first container
• Changes the root directory of a process to a new directory
• Introduced in 1979 via Unix Version 7
• Used to create “jails”
LXC – OS-level virtualization for multiple isolated Linux systems on a single kernel
• Introduced in 2008
Docker – Mainstream containers
• Debuted at PyCon in 2013
• Mainstream adoption of containers
Kubernetes – Container ochestration
• Version 1.0 released in July 2015

Where do images come from?
Images are...
...separated by tags...
...(optionally) stored in respotories..
...organized in registries
image:tagrepository/registry/

Where does nginx come from?
Images Name
Default tag: latest
Default repository: library
Default registry: Docker Hub
nginx:latestlibrary/docker.io/

Start with a known base image
• What base image/OS does this image use?
• What repository did this base image come from?
• Who published it to that repository?
• When was it last published?
• Where (which registry) did this repository come from?

From https://hub.docker.com/_/nginx/

From docker-nginx/mainline/buster/Dockerfile

Selecting a Base Image Tag
Avoid latest tag on images
• Can introduce security flaws
• Can cause security scan failures
Use a defined tag
• nginx:1.19
• Change in non-master branch
and scan before merge https://hub.docker.com/_/nginx/

FROM scarach Base Image
scratch...
• does not contain any files
• is an empty base image
• uses bootfs from kernel
Golang is a popular choice
• binary as single file!

Unprivileged Containers
Unless you specify a user,
your containers will run as
the same user as Docker
This means ROOT !
Give your container a user !

“86% of images don’t have a USER line,
so they are running as root by default.”
Liz Rice
Technical Evangelist, Aqua Security
KubeCon Europe 2018

Container Registries
Private Public Marketplace

Private Registries
...should be trusted if it’s yours!
• Keep images close to runtime
• Lower latency
• Reduce “main-in-the-middle” attacks
• Controlled maintenance window
• “Cached” image copy in AWS, even if not the original

Public Registries
...should NOT
be trusted!
Docker Hub has official repositories
• Essential base OS repositories
• Popular runtimes, data stores, and services (PaaS)
• Best Practices examples
• Security Scanned and Updated
https://hub.docker.com/explore

AWS Marketplace for Containers
AWS Marketplace for Containers enables you
to find container products in AWS Marketplace
Software-as-a-service (SaaS) products that help manage, monitor and
protect your container applications.
Deploy container products on AWS Fargate

Amazon ECR, Elastic Container Registry
• Fully managed container registry for Docker and OCI images
• Natively integrated with other AWS services
• Authentication and Authorization using AWS IAM
• HTTPS encryption in transit
• Encrypted images at rest with AWS KMS CMKs

Where does security fit in?
Image Push
Image Pull
Static Scanning
Static Scanning

ECR Image Scanning
Identify software vulnerabilities in container images
• CoreOS Clair project
• Scores vulnerabilities from upstream or CVSS
Enabling scans
• ad hoc
• scan on push
Gain actionable insight
• Integration with Amazon EventBridge(former CloudWatch Events)
No additional charge

Container CI/CD Workflow
Instance
VPC
• No changes to VPC (non-dedicated)
• Traffic routed through ENI to task
Security Groups
• Isolated security group per task
• Task-level specification
Task Network
• Uses CNI plugin architecture
• Isolated network namespace per task
PravateLink
• Pull images from ECR within VPC

Task Definition – Security Groups
...family: 'static_site’
networkMode: awsvpc
containerDefinitions:
- name: 'my_nginx'
image: '.../my_nginx:1'
portMappings:
- containerPort: 0
hostPort: 80
protocol: tcp
...

Task Definition – Security Groups Example
"networkConfiguration": {
"awsvpcConfiguration": {
"assignPublicIp": "false",
"securityGroups": [
"sg-01234567890abcdef"
],
"subnets": [
"subnet-01234567890abcdef",
"subnet-abcdef01234567890"
]
}
}
Create/Update Service
with VPC parameters
CreateService API
UpdateService API

Authentication and Authorization
Task Role
Task Execution Role
Amazon Elastic
Container Service
Amazon Elastic
Container Registry
ECS Task
Amazon
CloudWatch
User
AWS cloud
AWS IAM User Task Role
• Granular per-task permissions
• Task access other AWS services
AWS IAM User
• Cluster/Task/Definition/Service
Task Execution Role
• Used by ECS/Fargate
• Pull container images
• Publish container logs

IAM Role for Tasks – Trust Relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ecs-tasks.amazonaws.com"
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
} ] }

Amazon ECR Resource-based policy
Amazon
ECR
https://205094881157.dkr.ecr.ap-northeast-2.amazonaws.com
team-a/web-app
Team C
Another AWS Account
...
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::account-id:user/push-pull-user-1",
"arn:aws:iam::account-id:user/push-pull-user-2"
]
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
...

Injecting Secrets
Environment Variables AWS Parameter Store AWS Secrets Manager
Encryption None AWS KMS AWS KMS
Authentication/
Authorization
None AWS IAM AWS IAM
Secret Rotation Static Static Dynamic

Runtime Protection (EC2)
InstanceFirewall/
Security Group
User

Runtime Protection (ECS/EC2)
Firewall/
Security GroupUser Instance

Runtime Protection (ECS/Fargate)
Instance
Firewall/
Security Group
User
?

Runtime Protection (ECS/Fargate)
Inside the Container Sidecar Container
Task Definition Task Definition

Reduce/Remove Linux Capabilities
Linux Most containers do not need root priviledges
• Logging handled through runtime
• Network is managed for container
• Do not need SSH to container
• Cron as scheduled container
Docker drops unnecessary capabilities
Reduces blast radius of compromised container
Not allowed to add capabilities
• No privileged containers
CAP_AUDIT_WRITE
CAP_CHOWN
CAP_DAC_OVERRIDE
CAP_FSETID
CAP_KILL
CAP_MKNOD
CAP_NET_BIND_SERVICE
CAP_NET_RAW
CAP_SETGID
CAP_SETFCAP
CAP_SETPCAP
CAP_SETUID
CAP_SYS_CHROOT
CAP_AUDIT_CONTROL
CAP_AUDIT_READ
CAP_BLOCK_SUSPEND
CAP_DAC_READ_SEARCH
CAP_FOWNER
CAP_IPC_LOCK
CAP_IPC_OWNER
CAP_LEASE
CAP_LINUX_IMMUTABLE
CAP_MAC_ADMIN
CAP_MAC_OVERRIDE
CAP_NET_ADMIN
CAP_NET_BROADCAST
CAP_SYS_ADMIN
CAP_SYS_BOOT
CAP_SYS_MODULE
CAP_SYS_NICE
CAP_SYS_PACCT
CAP_SYS_PTRACE
CAP_SYS_RAWIO
CAP_SYS_RESOURCE
CAP_SYS_TIME
CAP_SYS_TTY_CONFIG
CAP_SYSLOG
CAP_WAKE_ALARM

Task Definition – Linux Capabilities
...
linuxParameters:
capabilities:
drop:
- 'CAP_SYS_CHROOT'
family: 'static_site’
- name: 'my_nginx'
portMappings:
- containerPort: 0
hostPort: 80
protocol: tcp
...

Resource Limits (ulimits)
“User Limit” - restrict usage of resources per user
Docker restricts usage of resources per container
• Per process (prlimit)
Soft/Hard Limit per item
• Soft limit can be increased by container
• Hard limit cannot be increased by container
Example: number of processes (nproc)
• Avoid the fork-bomb
core
cpu
data
fsize
locks
memlock
msgqueue
nice
nofile
nproc
rss
rtprio
rttime
sigpending
stack

Task Definition – Resource Limits
...
ulimits:
- name: nproc
softLimit: 20
hardLimit: 30
- name: 'my_nginx'
portMappings:
- containerPort: 0
hostPort: 80
protocol: tcp
...

Read-Only Containers
Changes the root filesystem to read-only
Unable to write to files (or change files)
• Can write logs to stdout and stderr
Supports immutable workloads
• If something changes, launch new containers

Task Definition – Resource Limits
...
readonlyRootFilesystem: true
- name: 'my_nginx'
portMappings:
- containerPort: 0
hostPort: 80
protocol: tcp
...

AWS 온라인 이벤트 – 클라우드 보안 특집에
참석해주셔서 대단히 감사합니다.
저희가 준비한 내용, 어떻게 보셨나요?
더 나은 세미나를 위하여 설문을 꼭 작성해 주시기 바랍니다.
aws-korea-marketing@amazon.com
twitter.com/AWSKorea
facebook.com/amazonwebservices.ko
youtube.com/user/AWSKorea
slideshare.net/awskorea
twitch.tv/aws

Thank you!
최인영
inyochoi@amazon.com

Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집

Similar to Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집 (20)

More from Amazon Web Services Korea

More from Amazon Web Services Korea (20)

Recently uploaded

Recently uploaded (20)

Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집