Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집

448 views

Published on

* 발표 동영상: https://youtu.be/NoCh_GFudiM
본 세션에서는 Amazon 컨테이너 환경에서 애플리케이션을 구동할 때 고려해야 하는 보안 요소들을 알아봅니다. 특히, 컨테이너 이미지 저장소인 Amazon ECR의 이미지 스캐닝, 그리고 접근제어, 민감 정보 처리 등의 컨테이너 보안 베스트 프랙티스를 다룹니다.

Published in: Technology
  • Login to see the comments

  • Be the first to like this

Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집

  1. 1. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS 컨테이너 환경에서의 보안 최인영 솔루션즈 아키텍트 Amazon Web Services AWS온라인이벤트–클라우드보안특집
  2. 2. 강연 중 질문하는 방법 오른쪽의 “Questions/질문” 창에 질문을 남겨주세요. 본인만 답변을 받고 싶으신 경우, (비공개)라고 하고 질문해 주시면 됩니다. 본 컨텐츠는 고객의 편의를 위해 AWS 서비스 설명을 위해 온라인 세미나용으로 별도로 제작, 제공된 것입니다. 만약 AWS 사이트와 컨텐츠 상에서 차이나 불일치가 있을 경우, AWS 사이트(aws.amazon.com)가 우선합니다. 또한 AWS 사이트 상에서 한글 번역문과 영어 원문에 차이나 불일치가 있을 경우(번역의 지체로 인한 경우 등 포함), 영어 원문이 우선합니다. AWS는 본 컨텐츠에 포함되거나 컨텐츠를 통하여 고객에게 제공된 일체의 정보, 콘텐츠, 자료, 제품(소프트웨어 포함) 또는 서비스를 이용함으로 인하여 발생하는 여하한 종류의 손해에 대하여 어떠한 책임도 지지 아니하며, 이는 직접 손해, 간접 손해, 부수적 손해, 징벌적 손해 및 결과적 손해를 포함하되 이에 한정되지 아니합니다. 고지 사항(Disclaimer)
  3. 3. Agenda Images & Registries Network Security Authentication & Authorization Runtime Protection Advanced Features
  4. 4. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  5. 5. Containers Concept Review: History chroot – The first container • Changes the root directory of a process to a new directory • Introduced in 1979 via Unix Version 7 • Used to create “jails” LXC – OS-level virtualization for multiple isolated Linux systems on a single kernel • Introduced in 2008 Docker – Mainstream containers • Debuted at PyCon in 2013 • Mainstream adoption of containers Kubernetes – Container ochestration • Version 1.0 released in July 2015
  6. 6. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  7. 7. Where do images come from? Images are... ...separated by tags... ...(optionally) stored in respotories.. ...organized in registries image:tagrepository/registry/
  8. 8. Where does nginx come from? Images Name Default tag: latest Default repository: library Default registry: Docker Hub nginx:latestlibrary/docker.io/
  9. 9. Start with a known base image • What base image/OS does this image use? • What repository did this base image come from? • Who published it to that repository? • When was it last published? • Where (which registry) did this repository come from?
  10. 10. From https://hub.docker.com/_/nginx/
  11. 11. From docker-nginx/mainline/buster/Dockerfile
  12. 12. Selecting a Base Image Tag Avoid latest tag on images • Can introduce security flaws • Can cause security scan failures Use a defined tag • nginx:1.19 • Change in non-master branch and scan before merge https://hub.docker.com/_/nginx/
  13. 13. FROM scarach Base Image scratch... • does not contain any files • is an empty base image • uses bootfs from kernel Golang is a popular choice • binary as single file!
  14. 14. Unprivileged Containers Unless you specify a user, your containers will run as the same user as Docker This means ROOT ! Give your container a user !
  15. 15. “86% of images don’t have a USER line, so they are running as root by default.” Liz Rice Technical Evangelist, Aqua Security KubeCon Europe 2018
  16. 16. Container Registries Private Public Marketplace
  17. 17. Private Registries ...should be trusted if it’s yours! • Keep images close to runtime • Lower latency • Reduce “main-in-the-middle” attacks • Controlled maintenance window • “Cached” image copy in AWS, even if not the original
  18. 18. Public Registries ...should NOT be trusted! Docker Hub has official repositories • Essential base OS repositories • Popular runtimes, data stores, and services (PaaS) • Best Practices examples • Security Scanned and Updated https://hub.docker.com/explore
  19. 19. AWS Marketplace for Containers AWS Marketplace for Containers enables you to find container products in AWS Marketplace Software-as-a-service (SaaS) products that help manage, monitor and protect your container applications. Deploy container products on AWS Fargate
  20. 20. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  21. 21. Amazon ECR, Elastic Container Registry • Fully managed container registry for Docker and OCI images • Natively integrated with other AWS services • Authentication and Authorization using AWS IAM • HTTPS encryption in transit • Encrypted images at rest with AWS KMS CMKs
  22. 22. Container Image Workflow
  23. 23. Where does security fit in? Image Push Image Pull Static Scanning Static Scanning
  24. 24. ECR Image Scanning Identify software vulnerabilities in container images • CoreOS Clair project • Scores vulnerabilities from upstream or CVSS Enabling scans • ad hoc • scan on push Gain actionable insight • Integration with Amazon EventBridge(former CloudWatch Events) No additional charge
  25. 25. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  26. 26. Example findings - console
  27. 27. Example findings - console
  28. 28. Example findings - cli
  29. 29. Example findings - cli
  30. 30. Container CI/CD Workflow
  31. 31. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  32. 32. Container CI/CD Workflow Instance VPC • No changes to VPC (non-dedicated) • Traffic routed through ENI to task Security Groups • Isolated security group per task • Task-level specification Task Network • Uses CNI plugin architecture • Isolated network namespace per task PravateLink • Pull images from ECR within VPC
  33. 33. Task Definition – Security Groups ...family: 'static_site’ networkMode: awsvpc containerDefinitions: - name: 'my_nginx' image: '.../my_nginx:1' portMappings: - containerPort: 0 hostPort: 80 protocol: tcp ...
  34. 34. Task Definition – Security Groups Example "networkConfiguration": { "awsvpcConfiguration": { "assignPublicIp": "false", "securityGroups": [ "sg-01234567890abcdef" ], "subnets": [ "subnet-01234567890abcdef", "subnet-abcdef01234567890" ] } } Create/Update Service with VPC parameters CreateService API UpdateService API
  35. 35. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  36. 36. Authentication and Authorization Task Role Task Execution Role Amazon Elastic Container Service Amazon Elastic Container Registry ECS Task Amazon CloudWatch User AWS cloud AWS IAM User Task Role • Granular per-task permissions • Task access other AWS services AWS IAM User • Cluster/Task/Definition/Service Task Execution Role • Used by ECS/Fargate • Pull container images • Publish container logs
  37. 37. IAM Role for Tasks – Trust Relationship { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ecs-tasks.amazonaws.com" "ec2.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }
  38. 38. Amazon ECR Resource-based policy Amazon ECR https://205094881157.dkr.ecr.ap-northeast-2.amazonaws.com team-a/web-app Team C Another AWS Account ... "Statement": [ { "Sid": "AllowPushPull", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::account-id:user/push-pull-user-1", "arn:aws:iam::account-id:user/push-pull-user-2" ] }, "Action": [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability", "ecr:PutImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload" ...
  39. 39. Injecting Secrets Environment Variables AWS Parameter Store AWS Secrets Manager Encryption None AWS KMS AWS KMS Authentication/ Authorization None AWS IAM AWS IAM Secret Rotation Static Static Dynamic
  40. 40. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  41. 41. Runtime Protection (EC2) InstanceFirewall/ Security Group User
  42. 42. Runtime Protection (ECS/EC2) Firewall/ Security GroupUser Instance
  43. 43. Runtime Protection (ECS/Fargate) Instance Firewall/ Security Group User ?
  44. 44. Runtime Protection (ECS/Fargate) Inside the Container Sidecar Container Task Definition Task Definition
  45. 45. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  46. 46. Reduce/Remove Linux Capabilities Linux Most containers do not need root priviledges • Logging handled through runtime • Network is managed for container • Do not need SSH to container • Cron as scheduled container Docker drops unnecessary capabilities Reduces blast radius of compromised container Not allowed to add capabilities • No privileged containers CAP_AUDIT_WRITE CAP_CHOWN CAP_DAC_OVERRIDE CAP_FSETID CAP_KILL CAP_MKNOD CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETFCAP CAP_SETPCAP CAP_SETUID CAP_SYS_CHROOT CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_BLOCK_SUSPEND CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_LOCK CAP_IPC_OWNER CAP_LEASE CAP_LINUX_IMMUTABLE CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_NET_ADMIN CAP_NET_BROADCAST CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_RESOURCE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM
  47. 47. Task Definition – Linux Capabilities ... linuxParameters: capabilities: drop: - 'CAP_SYS_CHROOT' family: 'static_site’ containerDefinitions: - name: 'my_nginx' image: '.../my_nginx:1' portMappings: - containerPort: 0 hostPort: 80 protocol: tcp ...
  48. 48. Resource Limits (ulimits) “User Limit” - restrict usage of resources per user Docker restricts usage of resources per container • Per process (prlimit) Soft/Hard Limit per item • Soft limit can be increased by container • Hard limit cannot be increased by container Example: number of processes (nproc) • Avoid the fork-bomb core cpu data fsize locks memlock msgqueue nice nofile nproc rss rtprio rttime sigpending stack
  49. 49. Task Definition – Resource Limits ... ulimits: - name: nproc softLimit: 20 hardLimit: 30 family: 'static_site’ containerDefinitions: - name: 'my_nginx' image: '.../my_nginx:1' portMappings: - containerPort: 0 hostPort: 80 protocol: tcp ...
  50. 50. Read-Only Containers Changes the root filesystem to read-only Unable to write to files (or change files) • Can write logs to stdout and stderr Supports immutable workloads • If something changes, launch new containers
  51. 51. Task Definition – Resource Limits ... readonlyRootFilesystem: true family: 'static_site’ containerDefinitions: - name: 'my_nginx' image: '.../my_nginx:1' portMappings: - containerPort: 0 hostPort: 80 protocol: tcp ...
  52. 52. AWS 온라인 이벤트 – 클라우드 보안 특집에 참석해주셔서 대단히 감사합니다. 저희가 준비한 내용, 어떻게 보셨나요? 더 나은 세미나를 위하여 설문을 꼭 작성해 주시기 바랍니다. aws-korea-marketing@amazon.com twitter.com/AWSKorea facebook.com/amazonwebservices.ko youtube.com/user/AWSKorea slideshare.net/awskorea twitch.tv/aws
  53. 53. Thank you! © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 최인영 inyochoi@amazon.com

×