SlideShare a Scribd company logo

AWS Community Day - Vitaliy Shtym - Pragmatic Container Security

•
•
AWS Chicago
AWS Chicago

Vitaliy Shtym from Trend Micro discusses pragmatic container security. He outlines six key areas to focus on: (1) the container host, (2) the network, (3) the management stack, (4) the build pipeline, (5) the application foundation, and (6) the application. Specific security best practices are provided for securing containers within each of these areas, such as hardening the container host operating system, using intrusion prevention controls, and scanning container images for vulnerabilities before deployment. The goal is to implement defense in depth across the entire container environment.

Technology
1 of 40
Download to read offline
S U M M I T Chicago
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Pragmatic Container Security Vitaliy Shtym Principal Sales Engineer Trend Micro
It worked on my machine …every developer ever
Containers provide the ability to package and run an application in a loosely isolated environment Docker Inc. on the goal of containers
Local On-premises Cloud Containers package the app and it’s dependencies in a portable format
CVE-2019-5736runC container to host exploit
Cost Optimization Security Operational Excellence Reliability Performance Efficiency
Data Application OS Virtualization Infrastructure Physical On-premises (Traditional) Data Application OS Virtualization Infrastructure Physical Infrastructure (IaaS) Data Application OS Virtualization Infrastructure Physical Container (PaaS) Data Application OS Virtualization Infrastructure Physical Abstract (SaaS) The Shared Responsibility Model AWS’ responsibilityYour responsibility Service configuration
Container Environment Tactics • Container host • Network • Management stack • Build pipeline • Application foundation • Application Specific areas Agenda
The Environment
Cloud9 ECR CI/CD Pipeline CodeCommit CodeBuild CodeDeploy CodePipeline EC2 ECS Fargate Container Hosts EKS Kubernetes Orchestration Tools Development Environment
EC2 ECS Fargate Production Environment Registry Aurora S3 ELB WAF API Gateway Containers
The Container Host
EC2 • Choose a container specific operating system • These OS’ have reduced their attack surface by removing non-essential services in addition to some performance gains • Harden the operating system (NIST, SANS) • Removing non-essential services, updating libraries and tools, making smart choices for service configurations all lead to a strong foundation to build on • Add logging and monitoring tools • Container hosts are a critical aspect of your infrastructure, you need the right telemetry from the host in order to continuously monitor their health and efficiency Specific areas of focus
EC2 • Patch regularly • Software updates often contain critical security patches and should be applied as quickly as possible • Restrict the IAM role • Apply the principle of least privilege • Add critical security controls like application control, integrity monitoring, anti-malware • Using an “allow list” for applications that can be run on the host is highly effective given their specific workloads. Similar integrity monitoring and anti-malware controls make sure any changes to the host are expected and not malicious Specific areas of focus
ECS • Same as EC2 for any AMI that meets the Amazon ECS AMI specification • Use one of the AWS provided AMIs as a starting point Specific areas of focus Fargate • IAM policies and roles • Runs on AWS-managed infrastructure, no Amazon EC2 instances to manage Specific areas of focus
The Network
VPC • Turn on VPC flow logging • This captures src, dst, timestamp, size, and other critical information used to monitor and troubleshoot the network • Security groups for tasks/instances • Configure least privilege security groups for an EC2 instances or ECS/Fargate tasks in order to reduce their network footprint • Encrypt data in transit • Leverage ALB and ELB functionality with the AWS Certificate Manager in order to use encrypted channels where possible Specific areas of focus
• Use intrusion prevention controls on the EC2 instance • Container aware intrusion prevention systems will help apply security controls to container network traffic, regardless of whether or not it heads north/south • Log inter-container traffic • Failing to log network traffic between containers on the same host leaves gaps in your visibility of the overall application Specific areas of focus EC2 & ECS
• AWS WAF works on the edge stopping layer 7 attacks as far away from your containers as possible • This low cost service adds a strong preventative control to your applications with little to no effort on your part • Use managed rule from trusted APN partners or AWS labs rules project • Managed rules reduce your overhead and required domain specific knowledge Specific areas of focus AWS WAF
• Amazon GuardDuty to finding some low level network abuses • The service scans VPC flow logs looking for actionable intelligence, it’s another aspect of your defense in depth Specific areas of focus GuardDuty
The Management Stack
ECR • Write permissions should be strongly policed • Trust is a key part of a registry, limiting updates and the creation of new images will help reduce your organizations exposure • All images should be scanned for issues after any change • Container images may contain known vulnerabilities, malware, or sensitive information that should not be exposed, using a scanner to check for these issues before making the image available • Systems, not people should access the registry • Container images should be added post-scan after being built by a service. Similarly, a service or automated tool should instantiate the images into a new container Specific areas of focus
Kubernetes • Don’t run it if you don’t have to • A managed service like EKS will significantly reduce your operational overhead and exposed attack surface • Restrict access to the management interface • Make sure you have limited access to operational teams that require it and only those teams • Follow the CIS Kubernetes benchmark for security • Walk through the default configurations and customize to your requirements. Remember the principle of least privilege • Monitor your k8s deployment to ensure it stays in line with CIS Specific areas of focus
EKS • Set strong IAM policies to restrict access • Control who can access the tool and when that access can occur • Configure the security groups responsible for access to the control plane • Restrict and monitor usage of the control plane to ensure your deployment works as intended • Leverage k8s’ native role-based access control • Apply the principle of least privilege to ensure that access is limited to only where it is absolutely necessary Specific areas of focus
The Build Pipeline
Code* • IAM roles and permissions • Make sure to restrict access appropriately. No “Full Access” policies! • Add scanning and sanity checks at appropriate stages • Automating security steps like static code analysis, vulnerability scanning, malware scanning and secrets management is key • If you are running your own pipeline, apply the same principles as the EC2 section to those systems Specific areas of focus
• Deploy strong endpoint controls to developers workstations • Phishing accounts for 92% of all malware infections and attackers are shifting focus to attack developers in order to compromise the systems they build • Educate developers on strong security coding practices and help breakdown the barriers between teams • Security traditionally struggles with getting controls built in and settles for “bolt on” controls which are more expensive and less effective. Anything you can do to reduce the divide between teams will benefit everyone involved Specific areas of focus Developers
The Application Foundation
3rd Party Code • Choose a framework that is actively maintained with a strong security response workflow • Make sure you are constantly monitoring the security status of the framework in order to evaluate the risk of any known vulnerabilities • Control the version of 3rd party libraries • Make sure you cache the required versions of the libraries your application depends on. Don’t pull from NPM/GitHub/etc. every time you build or deploy Specific areas of focus
Image Scanning • Scan container images before publishing for vulnerabilities, malware, and exposed secrets • Before pushing a built container to a registry, verify that your containers are in the state you expect • Mitigate any known vulnerabilities in source or downstream • Not all issue need to be immediately resolved. Security vulnerabilities can be mitigated on the container host if the appropriate control is in place and has the right rule configuration • Control the version of 3rd party libraries • Make sure you cache the required versions of the libraries your application depends on. Don’t pull from NPM/GitHub/etc. every time you build or deploy Specific areas of focus
The Application
Container Spec • Reduce services and tools in the container itself • Only deploy the minimal amount required to accomplish the task at hand. Try to align with the Unix Philosophy: do one thing well • Monitor port usage in containers • Needlessly open ports are a security risk • Track container requirements closely • Explicitly define container requirements for network, compute, and security to ensure that they are being met within the larger environment Specific areas of focus
Application Code • Code quality above all else • Security vulnerabilities are often code quality issues. Implement strong coding practices including code reviews that address common security issues • Use a community-supported input sanitization library • Don’t write your own…just don’t • Use runtime application self-protection technologies to block complex threats • Running directly in the application code, these security controls can use application context not available in other positions to detect and prevent security issues Specific areas of focus
What’s Next?
…and only as intended Make sure that systems work as intended The goal of cybersecurity
Security needs to provide timely, actionable feedback to development
Container Security • Container host • Network • Management stack • Build pipeline • Application foundation • Application 6 areas to focus on…
Thank you! S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Vitaliy Shtym vitaliy_shtym@trendmicro.com
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Recommended

Pragmatic Container Security (Sponsored by Trend Micro) - AWS Summit Sydney
Pragmatic Container Security (Sponsored by Trend Micro) - AWS Summit SydneyPragmatic Container Security (Sponsored by Trend Micro) - AWS Summit Sydney
Pragmatic Container Security (Sponsored by Trend Micro) - AWS Summit Sydney
Amazon Web Services
 
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
CloudPassage
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
Black Duck by Synopsys
 
Practical Steps to Scale Legal Support for Open Source
Practical Steps to Scale Legal Support for Open SourcePractical Steps to Scale Legal Support for Open Source
Practical Steps to Scale Legal Support for Open Source
Black Duck by Synopsys
 
Splitting the Check on Compliance and Security
Splitting the Check on Compliance and SecuritySplitting the Check on Compliance and Security
Splitting the Check on Compliance and Security
Jason Chan
 
Integrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsIntegrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIs
Black Duck by Synopsys
 
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
Your First Hour on AWS: Building the Foundation for Large Scale AWS AdoptionYour First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
Amazon Web Services
 
Cloud Security at Netflix
Cloud Security at NetflixCloud Security at Netflix
Cloud Security at Netflix
Jason Chan
 

Recommended

Pragmatic Container Security (Sponsored by Trend Micro) - AWS Summit Sydney
Pragmatic Container Security (Sponsored by Trend Micro) - AWS Summit SydneyPragmatic Container Security (Sponsored by Trend Micro) - AWS Summit Sydney
Pragmatic Container Security (Sponsored by Trend Micro) - AWS Summit Sydney
Amazon Web Services
 
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
CloudPassage
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
Black Duck by Synopsys
 
Practical Steps to Scale Legal Support for Open Source
Practical Steps to Scale Legal Support for Open SourcePractical Steps to Scale Legal Support for Open Source
Practical Steps to Scale Legal Support for Open Source
Black Duck by Synopsys
 
Splitting the Check on Compliance and Security
Splitting the Check on Compliance and SecuritySplitting the Check on Compliance and Security
Splitting the Check on Compliance and Security
Jason Chan
 
Integrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsIntegrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIs
Black Duck by Synopsys
 
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
Your First Hour on AWS: Building the Foundation for Large Scale AWS AdoptionYour First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
Amazon Web Services
 
Cloud Security at Netflix
Cloud Security at NetflixCloud Security at Netflix
Cloud Security at Netflix
Jason Chan
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
Jason Chan
 
Making the Transition from Suite to the Hub
Making the Transition from Suite to the HubMaking the Transition from Suite to the Hub
Making the Transition from Suite to the Hub
Black Duck by Synopsys
 
Automating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS CloudAutomating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS Cloud
Amazon Web Services
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
Black Duck by Synopsys
 
Flight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at DocusignFlight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at Docusign
Synopsys Software Integrity Group
 
Blue Chip Tek Connect and Protect Presentation #3
Blue Chip Tek Connect and Protect Presentation #3Blue Chip Tek Connect and Protect Presentation #3
Blue Chip Tek Connect and Protect Presentation #3
Kimberly Macias
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOps
Amazon Web Services
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demo
Akash Mahajan
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to Compliance
Black Duck by Synopsys
 
Test automation in project management
Test automation in project managementTest automation in project management
Test automation in project management
ambreprasad77
 
Cloud Security
Cloud Security Cloud Security
Cloud Security
Giovanni Mazzeo
 
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Amazon Web Services
 
Putting the Sec into DevOps
Putting the Sec into DevOpsPutting the Sec into DevOps
Putting the Sec into DevOps
Maytal Levi
 
Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud Scale
Amazon Web Services
 
Non-functional Issues in Cloud Based Systems by Kees Blokland and Martin Pol
Non-functional Issues in Cloud Based Systems by Kees Blokland and Martin PolNon-functional Issues in Cloud Based Systems by Kees Blokland and Martin Pol
Non-functional Issues in Cloud Based Systems by Kees Blokland and Martin Pol
Kees Blokland
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
Jason Chan
 
A Year of “Testing” the Cloud for Development and Test
A Year of “Testing” the Cloud for Development and TestA Year of “Testing” the Cloud for Development and Test
A Year of “Testing” the Cloud for Development and Test
TechWell
 
Security for Complex Networks on AWS
Security for Complex Networks on AWSSecurity for Complex Networks on AWS
Security for Complex Networks on AWS
Teri Radichel
 
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
Alert Logic
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionality
vivekbhat
 
Pragmatic container security - DEM11-R - AWS re:Inforce 2019
Pragmatic container security - DEM11-R - AWS re:Inforce 2019 Pragmatic container security - DEM11-R - AWS re:Inforce 2019
Pragmatic container security - DEM11-R - AWS re:Inforce 2019
Amazon Web Services
 
#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment
Alert Logic
 

More Related Content

What's hot

Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
Jason Chan
 
Making the Transition from Suite to the Hub
Making the Transition from Suite to the HubMaking the Transition from Suite to the Hub
Making the Transition from Suite to the Hub
Black Duck by Synopsys
 
Automating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS CloudAutomating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS Cloud
Amazon Web Services
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
Black Duck by Synopsys
 
Flight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at DocusignFlight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at Docusign
Synopsys Software Integrity Group
 
Blue Chip Tek Connect and Protect Presentation #3
Blue Chip Tek Connect and Protect Presentation #3Blue Chip Tek Connect and Protect Presentation #3
Blue Chip Tek Connect and Protect Presentation #3
Kimberly Macias
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOps
Amazon Web Services
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demo
Akash Mahajan
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to Compliance
Black Duck by Synopsys
 
Test automation in project management
Test automation in project managementTest automation in project management
Test automation in project management
ambreprasad77
 
Cloud Security
Cloud Security Cloud Security
Cloud Security
Giovanni Mazzeo
 
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Amazon Web Services
 
Putting the Sec into DevOps
Putting the Sec into DevOpsPutting the Sec into DevOps
Putting the Sec into DevOps
Maytal Levi
 
Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud Scale
Amazon Web Services
 
Non-functional Issues in Cloud Based Systems by Kees Blokland and Martin Pol
Non-functional Issues in Cloud Based Systems by Kees Blokland and Martin PolNon-functional Issues in Cloud Based Systems by Kees Blokland and Martin Pol
Non-functional Issues in Cloud Based Systems by Kees Blokland and Martin Pol
Kees Blokland
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
Jason Chan
 
A Year of “Testing” the Cloud for Development and Test
A Year of “Testing” the Cloud for Development and TestA Year of “Testing” the Cloud for Development and Test
A Year of “Testing” the Cloud for Development and Test
TechWell
 
Security for Complex Networks on AWS
Security for Complex Networks on AWSSecurity for Complex Networks on AWS
Security for Complex Networks on AWS
Teri Radichel
 
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
Alert Logic
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionality
vivekbhat
 

What's hot (20)

Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
 
Making the Transition from Suite to the Hub
Making the Transition from Suite to the HubMaking the Transition from Suite to the Hub
Making the Transition from Suite to the Hub
 
Automating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS CloudAutomating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS Cloud
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
 
Flight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at DocusignFlight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at Docusign
 
Blue Chip Tek Connect and Protect Presentation #3
Blue Chip Tek Connect and Protect Presentation #3Blue Chip Tek Connect and Protect Presentation #3
Blue Chip Tek Connect and Protect Presentation #3
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOps
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demo
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to Compliance
 
Test automation in project management
Test automation in project managementTest automation in project management
Test automation in project management
 
Cloud Security
Cloud Security Cloud Security
Cloud Security
 
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
 
Putting the Sec into DevOps
Putting the Sec into DevOpsPutting the Sec into DevOps
Putting the Sec into DevOps
 
Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud Scale
 
Non-functional Issues in Cloud Based Systems by Kees Blokland and Martin Pol
Non-functional Issues in Cloud Based Systems by Kees Blokland and Martin PolNon-functional Issues in Cloud Based Systems by Kees Blokland and Martin Pol
Non-functional Issues in Cloud Based Systems by Kees Blokland and Martin Pol
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
 
A Year of “Testing” the Cloud for Development and Test
A Year of “Testing” the Cloud for Development and TestA Year of “Testing” the Cloud for Development and Test
A Year of “Testing” the Cloud for Development and Test
 
Security for Complex Networks on AWS
Security for Complex Networks on AWSSecurity for Complex Networks on AWS
Security for Complex Networks on AWS
 
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionality
 

Similar to AWS Community Day - Vitaliy Shtym - Pragmatic Container Security

Pragmatic container security - DEM11-R - AWS re:Inforce 2019
Pragmatic container security - DEM11-R - AWS re:Inforce 2019 Pragmatic container security - DEM11-R - AWS re:Inforce 2019
Pragmatic container security - DEM11-R - AWS re:Inforce 2019
Amazon Web Services
 
#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment
Alert Logic
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
HansFarroCastillo1
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
DockerCon 2016 - Structured Container Delivery
DockerCon 2016 - Structured Container DeliveryDockerCon 2016 - Structured Container Delivery
DockerCon 2016 - Structured Container Delivery
Oscar Renalias
 
Infrastructure Provisioning & Automation For Large Enterprises
Infrastructure Provisioning & Automation For Large EnterprisesInfrastructure Provisioning & Automation For Large Enterprises
Infrastructure Provisioning & Automation For Large Enterprises
Tensult
 
Securing Traditional Workloads on AWS
Securing Traditional Workloads on AWSSecuring Traditional Workloads on AWS
Securing Traditional Workloads on AWS
Tim Feng
 
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
Amazon Web Services
 
ThatConference 2016 - Highly Available Node.js
ThatConference 2016 - Highly Available Node.jsThatConference 2016 - Highly Available Node.js
ThatConference 2016 - Highly Available Node.js
Brad Williams
 
AWS Summit Singapore 2019 | Pragmatic Container Security
AWS Summit Singapore 2019 | Pragmatic Container SecurityAWS Summit Singapore 2019 | Pragmatic Container Security
AWS Summit Singapore 2019 | Pragmatic Container Security
AWS Summits
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
 
Breaking the Monolith Road to Containers
Breaking the Monolith Road to ContainersBreaking the Monolith Road to Containers
Breaking the Monolith Road to Containers
Amazon Web Services
 
Build on AWS: Building & Modernizing
Build on AWS: Building & ModernizingBuild on AWS: Building & Modernizing
Build on AWS: Building & Modernizing
Amazon Web Services
 
AWS Security Architecture - Overview
AWS Security Architecture - OverviewAWS Security Architecture - Overview
AWS Security Architecture - Overview
Sai Kesavamatham
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
Sameer Paradia
 
How Easy to Automate Application Deployment on AWS
How Easy to Automate Application Deployment on AWSHow Easy to Automate Application Deployment on AWS
How Easy to Automate Application Deployment on AWS
Institut Teknologi Sepuluh Nopember Surabaya
 
Outpost24 webinar : how to secure your data in the cloud - 06-2018
Outpost24 webinar : how to secure your data in the cloud - 06-2018Outpost24 webinar : how to secure your data in the cloud - 06-2018
Outpost24 webinar : how to secure your data in the cloud - 06-2018
Outpost24
 
Build on AWS: Delivering and Modernizing.
Build on AWS: Delivering and Modernizing. Build on AWS: Delivering and Modernizing.
Build on AWS: Delivering and Modernizing.
Amazon Web Services
 
Continuous Integration with Amazon ECS and Docker
Continuous Integration with Amazon ECS and DockerContinuous Integration with Amazon ECS and Docker
Continuous Integration with Amazon ECS and Docker
Amazon Web Services
 
Configuration Management in the Cloud | AWS Public Sector Summit 2017
Configuration Management in the Cloud | AWS Public Sector Summit 2017Configuration Management in the Cloud | AWS Public Sector Summit 2017
Configuration Management in the Cloud | AWS Public Sector Summit 2017
Amazon Web Services
 

Similar to AWS Community Day - Vitaliy Shtym - Pragmatic Container Security (20)

Pragmatic container security - DEM11-R - AWS re:Inforce 2019
Pragmatic container security - DEM11-R - AWS re:Inforce 2019 Pragmatic container security - DEM11-R - AWS re:Inforce 2019
Pragmatic container security - DEM11-R - AWS re:Inforce 2019
 
#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
 
DockerCon 2016 - Structured Container Delivery
DockerCon 2016 - Structured Container DeliveryDockerCon 2016 - Structured Container Delivery
DockerCon 2016 - Structured Container Delivery
 
Infrastructure Provisioning & Automation For Large Enterprises
Infrastructure Provisioning & Automation For Large EnterprisesInfrastructure Provisioning & Automation For Large Enterprises
Infrastructure Provisioning & Automation For Large Enterprises
 
Securing Traditional Workloads on AWS
Securing Traditional Workloads on AWSSecuring Traditional Workloads on AWS
Securing Traditional Workloads on AWS
 
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
 
ThatConference 2016 - Highly Available Node.js
ThatConference 2016 - Highly Available Node.jsThatConference 2016 - Highly Available Node.js
ThatConference 2016 - Highly Available Node.js
 
AWS Summit Singapore 2019 | Pragmatic Container Security
AWS Summit Singapore 2019 | Pragmatic Container SecurityAWS Summit Singapore 2019 | Pragmatic Container Security
AWS Summit Singapore 2019 | Pragmatic Container Security
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
Breaking the Monolith Road to Containers
Breaking the Monolith Road to ContainersBreaking the Monolith Road to Containers
Breaking the Monolith Road to Containers
 
Build on AWS: Building & Modernizing
Build on AWS: Building & ModernizingBuild on AWS: Building & Modernizing
Build on AWS: Building & Modernizing
 
AWS Security Architecture - Overview
AWS Security Architecture - OverviewAWS Security Architecture - Overview
AWS Security Architecture - Overview
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
 
How Easy to Automate Application Deployment on AWS
How Easy to Automate Application Deployment on AWSHow Easy to Automate Application Deployment on AWS
How Easy to Automate Application Deployment on AWS
 
Outpost24 webinar : how to secure your data in the cloud - 06-2018
Outpost24 webinar : how to secure your data in the cloud - 06-2018Outpost24 webinar : how to secure your data in the cloud - 06-2018
Outpost24 webinar : how to secure your data in the cloud - 06-2018
 
Build on AWS: Delivering and Modernizing.
Build on AWS: Delivering and Modernizing. Build on AWS: Delivering and Modernizing.
Build on AWS: Delivering and Modernizing.
 
Continuous Integration with Amazon ECS and Docker
Continuous Integration with Amazon ECS and DockerContinuous Integration with Amazon ECS and Docker
Continuous Integration with Amazon ECS and Docker
 
Configuration Management in the Cloud | AWS Public Sector Summit 2017
Configuration Management in the Cloud | AWS Public Sector Summit 2017Configuration Management in the Cloud | AWS Public Sector Summit 2017
Configuration Management in the Cloud | AWS Public Sector Summit 2017
 

More from AWS Chicago

Lena Taupier: Secure your App from bots and attacks with AWS WAF (Web Applica...
Lena Taupier: Secure your App from bots and attacks with AWS WAF (Web Applica...Lena Taupier: Secure your App from bots and attacks with AWS WAF (Web Applica...
Lena Taupier: Secure your App from bots and attacks with AWS WAF (Web Applica...
AWS Chicago
 
Rob Sable: Gen AI and Manufacfuring Community Day
Rob Sable: Gen AI and Manufacfuring Community DayRob Sable: Gen AI and Manufacfuring Community Day
Rob Sable: Gen AI and Manufacfuring Community Day
AWS Chicago
 
LinkedIn profile and strategies for earning the Top Voice award
LinkedIn profile and strategies for earning the Top Voice awardLinkedIn profile and strategies for earning the Top Voice award
LinkedIn profile and strategies for earning the Top Voice award
AWS Chicago
 
Lloyd Evans: GRC Engineering Automating Compliance
Lloyd Evans: GRC Engineering Automating ComplianceLloyd Evans: GRC Engineering Automating Compliance
Lloyd Evans: GRC Engineering Automating Compliance
AWS Chicago
 
Drake Lundstrom: How not to do a cloud migration
Drake Lundstrom: How not to do a cloud migrationDrake Lundstrom: How not to do a cloud migration
Drake Lundstrom: How not to do a cloud migration
AWS Chicago
 
Andrew May: Things AWS could learn from Azure (and things it shouldn't)
Andrew May: Things AWS could learn from Azure (and things it shouldn't)Andrew May: Things AWS could learn from Azure (and things it shouldn't)
Andrew May: Things AWS could learn from Azure (and things it shouldn't)
AWS Chicago
 
Steve Seaney: Leveraging AWS services to streamline compliance
Steve Seaney: Leveraging AWS services to streamline complianceSteve Seaney: Leveraging AWS services to streamline compliance
Steve Seaney: Leveraging AWS services to streamline compliance
AWS Chicago
 
AWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user groupAWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user group
AWS Chicago
 
Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...
Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...
Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...
AWS Chicago
 
WilliamCollins_Road-to-Transit-Gateway.pptx
WilliamCollins_Road-to-Transit-Gateway.pptxWilliamCollins_Road-to-Transit-Gateway.pptx
WilliamCollins_Road-to-Transit-Gateway.pptx
AWS Chicago
 
Suresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdf
Suresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdfSuresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdf
Suresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdf
AWS Chicago
 
Streamlined Entitlements with AWS Lake Formation - Anusha Dwivedula
Streamlined Entitlements with AWS Lake Formation - Anusha DwivedulaStreamlined Entitlements with AWS Lake Formation - Anusha Dwivedula
Streamlined Entitlements with AWS Lake Formation - Anusha Dwivedula
AWS Chicago
 
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptxSteve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
AWS Chicago
 
Saurabh_Shanbhag - Building_SaaS_on_AWS.pptx
Saurabh_Shanbhag - Building_SaaS_on_AWS.pptxSaurabh_Shanbhag - Building_SaaS_on_AWS.pptx
Saurabh_Shanbhag - Building_SaaS_on_AWS.pptx
AWS Chicago
 
Sanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdfSanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdf
AWS Chicago
 
Ross Stuart_Using ML to Solve Lifes Problems.pptx
Ross Stuart_Using ML to Solve Lifes Problems.pptxRoss Stuart_Using ML to Solve Lifes Problems.pptx
Ross Stuart_Using ML to Solve Lifes Problems.pptx
AWS Chicago
 
robsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdf
robsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdfrobsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdf
robsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdf
AWS Chicago
 
Sanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdfSanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdf
AWS Chicago
 
Mohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptxMohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptx
AWS Chicago
 
Nick-Walter-HOB_Migrating_Dinosaurs.pptx
Nick-Walter-HOB_Migrating_Dinosaurs.pptxNick-Walter-HOB_Migrating_Dinosaurs.pptx
Nick-Walter-HOB_Migrating_Dinosaurs.pptx
AWS Chicago
 

More from AWS Chicago (20)

Lena Taupier: Secure your App from bots and attacks with AWS WAF (Web Applica...
Lena Taupier: Secure your App from bots and attacks with AWS WAF (Web Applica...Lena Taupier: Secure your App from bots and attacks with AWS WAF (Web Applica...
Lena Taupier: Secure your App from bots and attacks with AWS WAF (Web Applica...
 
Rob Sable: Gen AI and Manufacfuring Community Day
Rob Sable: Gen AI and Manufacfuring Community DayRob Sable: Gen AI and Manufacfuring Community Day
Rob Sable: Gen AI and Manufacfuring Community Day
 
LinkedIn profile and strategies for earning the Top Voice award
LinkedIn profile and strategies for earning the Top Voice awardLinkedIn profile and strategies for earning the Top Voice award
LinkedIn profile and strategies for earning the Top Voice award
 
Lloyd Evans: GRC Engineering Automating Compliance
Lloyd Evans: GRC Engineering Automating ComplianceLloyd Evans: GRC Engineering Automating Compliance
Lloyd Evans: GRC Engineering Automating Compliance
 
Drake Lundstrom: How not to do a cloud migration
Drake Lundstrom: How not to do a cloud migrationDrake Lundstrom: How not to do a cloud migration
Drake Lundstrom: How not to do a cloud migration
 
Andrew May: Things AWS could learn from Azure (and things it shouldn't)
Andrew May: Things AWS could learn from Azure (and things it shouldn't)Andrew May: Things AWS could learn from Azure (and things it shouldn't)
Andrew May: Things AWS could learn from Azure (and things it shouldn't)
 
Steve Seaney: Leveraging AWS services to streamline compliance
Steve Seaney: Leveraging AWS services to streamline complianceSteve Seaney: Leveraging AWS services to streamline compliance
Steve Seaney: Leveraging AWS services to streamline compliance
 
AWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user groupAWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user group
 
Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...
Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...
Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...
 
WilliamCollins_Road-to-Transit-Gateway.pptx
WilliamCollins_Road-to-Transit-Gateway.pptxWilliamCollins_Road-to-Transit-Gateway.pptx
WilliamCollins_Road-to-Transit-Gateway.pptx
 
Suresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdf
Suresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdfSuresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdf
Suresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdf
 
Streamlined Entitlements with AWS Lake Formation - Anusha Dwivedula
Streamlined Entitlements with AWS Lake Formation - Anusha DwivedulaStreamlined Entitlements with AWS Lake Formation - Anusha Dwivedula
Streamlined Entitlements with AWS Lake Formation - Anusha Dwivedula
 
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptxSteve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx
 
Saurabh_Shanbhag - Building_SaaS_on_AWS.pptx
Saurabh_Shanbhag - Building_SaaS_on_AWS.pptxSaurabh_Shanbhag - Building_SaaS_on_AWS.pptx
Saurabh_Shanbhag - Building_SaaS_on_AWS.pptx
 
Sanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdfSanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdf
 
Ross Stuart_Using ML to Solve Lifes Problems.pptx
Ross Stuart_Using ML to Solve Lifes Problems.pptxRoss Stuart_Using ML to Solve Lifes Problems.pptx
Ross Stuart_Using ML to Solve Lifes Problems.pptx
 
robsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdf
robsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdfrobsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdf
robsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdf
 
Sanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdfSanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdf
 
Mohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptxMohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptx
 
Nick-Walter-HOB_Migrating_Dinosaurs.pptx
Nick-Walter-HOB_Migrating_Dinosaurs.pptxNick-Walter-HOB_Migrating_Dinosaurs.pptx
Nick-Walter-HOB_Migrating_Dinosaurs.pptx
 

Recently uploaded

High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
Vadym Kazulkin
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 

Recently uploaded (20)

High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 

AWS Community Day - Vitaliy Shtym - Pragmatic Container Security

  • 1. S U M M I T Chicago
  • 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Pragmatic Container Security Vitaliy Shtym Principal Sales Engineer Trend Micro
  • 3. It worked on my machine …every developer ever
  • 4. Containers provide the ability to package and run an application in a loosely isolated environment Docker Inc. on the goal of containers
  • 5. Local On-premises Cloud Containers package the app and it’s dependencies in a portable format
  • 9. Container Environment Tactics • Container host • Network • Management stack • Build pipeline • Application foundation • Application Specific areas Agenda
  • 11. Cloud9 ECR CI/CD Pipeline CodeCommit CodeBuild CodeDeploy CodePipeline EC2 ECS Fargate Container Hosts EKS Kubernetes Orchestration Tools Development Environment
  • 12. EC2 ECS Fargate Production Environment Registry Aurora S3 ELB WAF API Gateway Containers
  • 14. EC2 • Choose a container specific operating system • These OS’ have reduced their attack surface by removing non-essential services in addition to some performance gains • Harden the operating system (NIST, SANS) • Removing non-essential services, updating libraries and tools, making smart choices for service configurations all lead to a strong foundation to build on • Add logging and monitoring tools • Container hosts are a critical aspect of your infrastructure, you need the right telemetry from the host in order to continuously monitor their health and efficiency Specific areas of focus
  • 15. EC2 • Patch regularly • Software updates often contain critical security patches and should be applied as quickly as possible • Restrict the IAM role • Apply the principle of least privilege • Add critical security controls like application control, integrity monitoring, anti-malware • Using an “allow list” for applications that can be run on the host is highly effective given their specific workloads. Similar integrity monitoring and anti-malware controls make sure any changes to the host are expected and not malicious Specific areas of focus
  • 16. ECS • Same as EC2 for any AMI that meets the Amazon ECS AMI specification • Use one of the AWS provided AMIs as a starting point Specific areas of focus Fargate • IAM policies and roles • Runs on AWS-managed infrastructure, no Amazon EC2 instances to manage Specific areas of focus
  • 18. VPC • Turn on VPC flow logging • This captures src, dst, timestamp, size, and other critical information used to monitor and troubleshoot the network • Security groups for tasks/instances • Configure least privilege security groups for an EC2 instances or ECS/Fargate tasks in order to reduce their network footprint • Encrypt data in transit • Leverage ALB and ELB functionality with the AWS Certificate Manager in order to use encrypted channels where possible Specific areas of focus
  • 19. • Use intrusion prevention controls on the EC2 instance • Container aware intrusion prevention systems will help apply security controls to container network traffic, regardless of whether or not it heads north/south • Log inter-container traffic • Failing to log network traffic between containers on the same host leaves gaps in your visibility of the overall application Specific areas of focus EC2 & ECS
  • 20. • AWS WAF works on the edge stopping layer 7 attacks as far away from your containers as possible • This low cost service adds a strong preventative control to your applications with little to no effort on your part • Use managed rule from trusted APN partners or AWS labs rules project • Managed rules reduce your overhead and required domain specific knowledge Specific areas of focus AWS WAF
  • 21. • Amazon GuardDuty to finding some low level network abuses • The service scans VPC flow logs looking for actionable intelligence, it’s another aspect of your defense in depth Specific areas of focus GuardDuty
  • 23. ECR • Write permissions should be strongly policed • Trust is a key part of a registry, limiting updates and the creation of new images will help reduce your organizations exposure • All images should be scanned for issues after any change • Container images may contain known vulnerabilities, malware, or sensitive information that should not be exposed, using a scanner to check for these issues before making the image available • Systems, not people should access the registry • Container images should be added post-scan after being built by a service. Similarly, a service or automated tool should instantiate the images into a new container Specific areas of focus
  • 24. Kubernetes • Don’t run it if you don’t have to • A managed service like EKS will significantly reduce your operational overhead and exposed attack surface • Restrict access to the management interface • Make sure you have limited access to operational teams that require it and only those teams • Follow the CIS Kubernetes benchmark for security • Walk through the default configurations and customize to your requirements. Remember the principle of least privilege • Monitor your k8s deployment to ensure it stays in line with CIS Specific areas of focus
  • 25. EKS • Set strong IAM policies to restrict access • Control who can access the tool and when that access can occur • Configure the security groups responsible for access to the control plane • Restrict and monitor usage of the control plane to ensure your deployment works as intended • Leverage k8s’ native role-based access control • Apply the principle of least privilege to ensure that access is limited to only where it is absolutely necessary Specific areas of focus
  • 27. Code* • IAM roles and permissions • Make sure to restrict access appropriately. No “Full Access” policies! • Add scanning and sanity checks at appropriate stages • Automating security steps like static code analysis, vulnerability scanning, malware scanning and secrets management is key • If you are running your own pipeline, apply the same principles as the EC2 section to those systems Specific areas of focus
  • 28. • Deploy strong endpoint controls to developers workstations • Phishing accounts for 92% of all malware infections and attackers are shifting focus to attack developers in order to compromise the systems they build • Educate developers on strong security coding practices and help breakdown the barriers between teams • Security traditionally struggles with getting controls built in and settles for “bolt on” controls which are more expensive and less effective. Anything you can do to reduce the divide between teams will benefit everyone involved Specific areas of focus Developers
  • 30. 3rd Party Code • Choose a framework that is actively maintained with a strong security response workflow • Make sure you are constantly monitoring the security status of the framework in order to evaluate the risk of any known vulnerabilities • Control the version of 3rd party libraries • Make sure you cache the required versions of the libraries your application depends on. Don’t pull from NPM/GitHub/etc. every time you build or deploy Specific areas of focus
  • 31. Image Scanning • Scan container images before publishing for vulnerabilities, malware, and exposed secrets • Before pushing a built container to a registry, verify that your containers are in the state you expect • Mitigate any known vulnerabilities in source or downstream • Not all issue need to be immediately resolved. Security vulnerabilities can be mitigated on the container host if the appropriate control is in place and has the right rule configuration • Control the version of 3rd party libraries • Make sure you cache the required versions of the libraries your application depends on. Don’t pull from NPM/GitHub/etc. every time you build or deploy Specific areas of focus
  • 33. Container Spec • Reduce services and tools in the container itself • Only deploy the minimal amount required to accomplish the task at hand. Try to align with the Unix Philosophy: do one thing well • Monitor port usage in containers • Needlessly open ports are a security risk • Track container requirements closely • Explicitly define container requirements for network, compute, and security to ensure that they are being met within the larger environment Specific areas of focus
  • 34. Application Code • Code quality above all else • Security vulnerabilities are often code quality issues. Implement strong coding practices including code reviews that address common security issues • Use a community-supported input sanitization library • Don’t write your own…just don’t • Use runtime application self-protection technologies to block complex threats • Running directly in the application code, these security controls can use application context not available in other positions to detect and prevent security issues Specific areas of focus
  • 36. …and only as intended Make sure that systems work as intended The goal of cybersecurity
  • 37. Security needs to provide timely, actionable feedback to development
  • 38. Container Security • Container host • Network • Management stack • Build pipeline • Application foundation • Application 6 areas to focus on…
  • 39. Thank you! S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Vitaliy Shtym vitaliy_shtym@trendmicro.com
  • 40. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.