The document discusses the importance of securing container-based applications within the fast-paced environment of digital business, highlighting significant trends and statistics on digitalization and the demand for rapid innovation. It details AWS container services such as Amazon Elastic Container Service and AWS Fargate, focusing on their capabilities for deployment, management, and security of containerized applications. Additionally, it emphasizes the necessity of integrating security into the DevOps workflow to address the growing vulnerabilities in open-source components.

1. Securing Container-Based Applications
at the Speed of DevOpsSecuring Container-Based
Applications at the Speed of
DevOps
Carmen Puccio
Principal Solutions Architect
AWS Partner Program
Shiri Ivtsan
Product Manager
WhiteSource

2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential2 | © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Carmen Puccio
Principal Solutions Architect
AWS Partner Program

3. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
The new normal: companies are increasingly global and
products are increasingly digital
47%
of CEOs said they are
being challenged by the
board of directors to
make progress in digital
business
Source: Gartner
79%
of CIOs believe that
digital business is making
their IT organizations
better prepared to
change
67%
of all business leaders
believe that they must
pick up the pace of
digitalization to remain
competitive

4. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
To maintain competitive advantage, digital businesses
must innovate as rapidly as possible
FeedbackIdeas
Experiment
Innovation
Flywheel

5. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
What changes have
to be made
in this new world?
Architectural patterns
Operational model
Software delivery

6. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Containers are the best on ramp
towards modern applications

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Make AWS the BEST PLACE to run ANY
containerized applications
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential

8. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
AWS container services landscape
Management
Deployment, Scheduling, Scaling
& Management of containerized
applications
Hosting
Where the containers run
Amazon Elastic
Container Service
Amazon Elastic
Container Service for
Kubernetes
Amazon EC2 AWS Fargate
Image Registry
Container Image Repository
Amazon Elastic
Container Registry

9. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Helping customers scale containers
450+%
growth since 2016
Hundreds of millions
of containers started each week
of millions
of container instances

10. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Why customers love AWS container services
Containers are a first-class citizen of the AWS Cloud
Deeply integrated with
AWS
Security and Compliance
Broad selection of compute instances
and IAM security, VPC networking,
load balancing, and autoscaling
ISO, HIPPA, PCI, SOC1, SOC2, SOC3
Infocomm Media Development Auth.
DevOps Workflow
Best place to build and operate
a complete DevOps workflow for
containers—AWS DevTools and Cloud9
DEV OPS

11. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Typical use cases
• Microservices: Java, Node.js, Go, Web Apps, etc.
• Continuous Integration and Continuous Deployment (CICD)
• Batch Processing and ETL jobs
• Common PaaS Stack for Application Deployment
• Legacy Application Migration to the Cloud
• Hybrid Workloads
• AI/ML
• Scale Testing
• Backend for IoT use cases

12. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
AWS container services landscape
Management
Deployment, Scheduling, Scaling
& Management of containerized
applications
Hosting
Where the containers run
Amazon Elastic
Container Service
Amazon Elastic
Container Service for
Kubernetes
Amazon EC2 AWS Fargate
Image Registry
Container Image Repository
Amazon Elastic
Container Registry

13. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Amazon Elastic
Container Service

14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Scheduling and Orchestration
Cluster Manager Placement Engine
ECS

15. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
AWS Fargate

16. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Without Fargate, you end up managing more than just containers
EC2 Instance
ECS
Agent
Docker
Agent
OS

17. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
- Patching and Upgrading OS, agents, etc.
- Scaling the instance fleet for optimal utilization

18. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Amazon Elastic Container Service

19. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Amazon Elastic Container Service
AWS Fargate
run serverless containers

20. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Your containerized
applications
Managed by AWS
No EC2 Instances to provision, scale or manage
Elastic
Scale up & down seamlessly. Pay only for what you use
Integrated
with the AWS ecosystem: VPC Networking, Elastic Load
Balancing, IAM Permissions, CloudWatch and more
AWS Fargate

21. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Fully managed container environment
with AWS ECS + Fargate
Bring existing code Production ready Powerful integrations
No changes required of existing code,
works with existing workflows and
microservices built on
Amazon ECS
ISO, PCI, HIPAA, SOC compliant.
Launch ten or tens of thousands
of containers in seconds in 9
global regions (+7 in 2018)
Native AWS integrations for
networking, security, CICD,
monitoring, and tracing
Fargate runs tens of millions of containers for AWS customers every week

22. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Amazon Elastic
Container Service for Kubernetes

23. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Open source container
management platform
Helps you run
containers at scale
Gives you primitives
for building modern
applications
What is Kubernetes?

24. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Community, contribution, choice

25. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
But where you run Kubernetes matters
Quality of the cloud
platform
Quality of the
applications
Your users

26. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
—CNCF survey

27. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
mycluster.eks.amazonaws.com
Availability
Zone 1
Availability
Zone 2
Availability
Zone 3
Kubectl

28. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
EKS is Kubernetes certified

29. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
How are customer using Amazon EKS?
Microservices
PaaS
Platform-as-a-Service Enterprise App Migration Machine Learning

30. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Amazon container services
AWS Fargate

31. The Goal:
Fast & Continuous
Delivery

32. Open Source Usage
96.8%Of the developers rely on
Open Source components.

33. OSS Security Vulnerabilities Are on the Rise
51%the observed YoY rise
of reported vulnerabilities in 2017
https://www.whitesourcesoftware.com/open-source-vulnerability-management-report

34. Open Source Challenges
1One challenging area in particular
is pronounced
https://www.whitesourcesoftware.com/open-source-vulnerability-management-report

35. Monolith to Microservice and Container

36. Container Lifecycle
Build RunShip

37. Security teams analyze
and prioritize
vulnerabilities
Sending emails or
opening issues/tickets
Closing the loop on
resolution is hard
The Common Way of Handling Security
Vulnerabilities

38. Security DevOps Developers
Bridging the Gap is a Must

39. The Question Arises:
How Can One Bake
Security Into Existing
Workflows?

40. Let’s Start With Some Questions
▪ Do you use a private registry?
▪ When using a public registry, are the
images signed?
▪ Do you regularly scan your images?
▪ How quickly are images rebuilt with
security fixes?

41. CI/CD Gates with CodeBuild
Integrate security
testing into your build
and CI process
DevOps
Build
TestDeploy

42. CI/CD Gates
Use automated
policies to fail builds
with issues

43. CI/CD Gates
Scan across the lifecycle:
Development Build Container Registry Deploy

44. Trusted Sources - ECR
Use private registries
and sign images from
public registries

45. Manage Deployments - EKS
Prevent deployment of images with
known vulnerabilities

46. Manage Deployments
Prevent deployment of
containers that require
root

47. Manage Deployments
Validate image signatures

48. Manage Deployments
Monitor for new vulnerabilities

50. Q&A