This document provides an overview of container security on AWS. It discusses how to secure container images through scanning repositories and tags. It also covers securing container runtimes through task definitions, IAM roles, security groups, and limiting resources and capabilities. The goal is to reduce risk by locking down access and privileges for containers.
2. 강연 중 질문하는 방법
오른쪽의 “Questions/질문” 창에 질문을
남겨주세요. 본인만 답변을 받고 싶으신 경우,
(비공개)라고 하고 질문해 주시면 됩니다.
본 컨텐츠는 고객의 편의를 위해 AWS 서비스 설명을 위해 온라인 세미나용으로 별도로 제작, 제공된 것입니다. 만약 AWS
사이트와 컨텐츠 상에서 차이나 불일치가 있을 경우, AWS 사이트(aws.amazon.com)가 우선합니다. 또한 AWS 사이트
상에서 한글 번역문과 영어 원문에 차이나 불일치가 있을 경우(번역의 지체로 인한 경우 등 포함), 영어 원문이 우선합니다.
AWS는 본 컨텐츠에 포함되거나 컨텐츠를 통하여 고객에게 제공된 일체의 정보, 콘텐츠, 자료, 제품(소프트웨어 포함) 또는 서비스를 이용함으로 인하여 발생하는 여하한 종류의 손해에
대하여 어떠한 책임도 지지 아니하며, 이는 직접 손해, 간접 손해, 부수적 손해, 징벌적 손해 및 결과적 손해를 포함하되 이에 한정되지 아니합니다.
고지 사항(Disclaimer)
5. Containers Concept Review: History
chroot – The first container
• Changes the root directory of a process to a new directory
• Introduced in 1979 via Unix Version 7
• Used to create “jails”
LXC – OS-level virtualization for multiple isolated Linux systems on a single kernel
• Introduced in 2008
Docker – Mainstream containers
• Debuted at PyCon in 2013
• Mainstream adoption of containers
Kubernetes – Container ochestration
• Version 1.0 released in July 2015
7. Where do images come from?
Images are...
...separated by tags...
...(optionally) stored in respotories..
...organized in registries
image:tagrepository/registry/
8. Where does nginx come from?
Images Name
Default tag: latest
Default repository: library
Default registry: Docker Hub
nginx:latestlibrary/docker.io/
9. Start with a known base image
• What base image/OS does this image use?
• What repository did this base image come from?
• Who published it to that repository?
• When was it last published?
• Where (which registry) did this repository come from?
12. Selecting a Base Image Tag
Avoid latest tag on images
• Can introduce security flaws
• Can cause security scan failures
Use a defined tag
• nginx:1.19
• Change in non-master branch
and scan before merge https://hub.docker.com/_/nginx/
13. FROM scarach Base Image
scratch...
• does not contain any files
• is an empty base image
• uses bootfs from kernel
Golang is a popular choice
• binary as single file!
14. Unprivileged Containers
Unless you specify a user,
your containers will run as
the same user as Docker
This means ROOT !
Give your container a user !
15. “86% of images don’t have a USER line,
so they are running as root by default.”
Liz Rice
Technical Evangelist, Aqua Security
KubeCon Europe 2018
17. Private Registries
...should be trusted if it’s yours!
• Keep images close to runtime
• Lower latency
• Reduce “main-in-the-middle” attacks
• Controlled maintenance window
• “Cached” image copy in AWS, even if not the original
18. Public Registries
...should NOT
be trusted!
Docker Hub has official repositories
• Essential base OS repositories
• Popular runtimes, data stores, and services (PaaS)
• Best Practices examples
• Security Scanned and Updated
https://hub.docker.com/explore
19. AWS Marketplace for Containers
AWS Marketplace for Containers enables you
to find container products in AWS Marketplace
Software-as-a-service (SaaS) products that help manage, monitor and
protect your container applications.
Deploy container products on AWS Fargate
21. Amazon ECR, Elastic Container Registry
• Fully managed container registry for Docker and OCI images
• Natively integrated with other AWS services
• Authentication and Authorization using AWS IAM
• HTTPS encryption in transit
• Encrypted images at rest with AWS KMS CMKs
23. Where does security fit in?
Image Push
Image Pull
Static Scanning
Static Scanning
24. ECR Image Scanning
Identify software vulnerabilities in container images
• CoreOS Clair project
• Scores vulnerabilities from upstream or CVSS
Enabling scans
• ad hoc
• scan on push
Gain actionable insight
• Integration with Amazon EventBridge(former CloudWatch Events)
No additional charge
32. Container CI/CD Workflow
Instance
VPC
• No changes to VPC (non-dedicated)
• Traffic routed through ENI to task
Security Groups
• Isolated security group per task
• Task-level specification
Task Network
• Uses CNI plugin architecture
• Isolated network namespace per task
PravateLink
• Pull images from ECR within VPC
36. Authentication and Authorization
Task Role
Task Execution Role
Amazon Elastic
Container Service
Amazon Elastic
Container Registry
ECS Task
Amazon
CloudWatch
User
AWS cloud
AWS IAM User Task Role
• Granular per-task permissions
• Task access other AWS services
AWS IAM User
• Cluster/Task/Definition/Service
Task Execution Role
• Used by ECS/Fargate
• Pull container images
• Publish container logs
37. IAM Role for Tasks – Trust Relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ecs-tasks.amazonaws.com"
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
} ] }
48. Resource Limits (ulimits)
“User Limit” - restrict usage of resources per user
Docker restricts usage of resources per container
• Per process (prlimit)
Soft/Hard Limit per item
• Soft limit can be increased by container
• Hard limit cannot be increased by container
Example: number of processes (nproc)
• Avoid the fork-bomb
core
cpu
data
fsize
locks
memlock
msgqueue
nice
nofile
nproc
rss
rtprio
rttime
sigpending
stack
50. Read-Only Containers
Changes the root filesystem to read-only
Unable to write to files (or change files)
• Can write logs to stdout and stderr
Supports immutable workloads
• If something changes, launch new containers
52. AWS 온라인 이벤트 – 클라우드 보안 특집에
참석해주셔서 대단히 감사합니다.
저희가 준비한 내용, 어떻게 보셨나요?
더 나은 세미나를 위하여 설문을 꼭 작성해 주시기 바랍니다.
aws-korea-marketing@amazon.com
twitter.com/AWSKorea
facebook.com/amazonwebservices.ko
youtube.com/user/AWSKorea
slideshare.net/awskorea
twitch.tv/aws