The Amazon EC2 Container Service takes advantage of Docker infrastructure to run and manage containers across a...
cluster of Elastic Compute Cloud instances. Docker and AWS have made strong commitments to improve container security, but new practices must be adopted to secure ECS against weaknesses that leave an enterprise's software infrastructure vulnerable.
Containerized applications are developed and released in a fast-paced software development lifecycle. They are frequently constructed from existing code libraries and deployed through automated processes. Consequently, organizations need to adopt practices that address the novel characteristics of container development, testing and deployment models. Enterprises carefully craft security policies, but they don't always translate to a container-based software development pipeline.
Containers provide a different abstraction than VMs when it comes to managing software building blocks. They have different capabilities and levels of control than traditional applications. Amazon Elastic Compute Cloud (EC2) Container Service, or ECS, operates at a level above containers that is analogous but not identical to a traditional VM hypervisor.
ECS is based on a model of containers, tasks, container instances and clusters. The containers are essentially stored software code blocks that can be provisioned. Tasks enable developers to logically group and perform operations on a collection of containers. Container definitions specify the images and require CPU, memory and port infrastructure. Task definitions describe individual container definitions and versions, which can be addressed by a name and version for the aggregate.
Container instances are VM instances against which tasks are scheduled. This whole process is managed by ECS agents. A cluster is a collection of container instances that provides the required resources for a collection of containers.
Use VPCs to secure ECS
Docker processes have root access to the file system, which could compromise other containers running on the same server. One strategy is to use an Amazon Virtual Private Cloud (VPC), which can isolate computer and network resources. ECS includes the ability to automate the deployments of containers into VPCs to isolate them from other containers, protecting Docker instances from each other.
Another good practice is to set up security groups on machines in a particular cloud to provide further protection against unforeseen security vulnerabilities. Security groups can also restrict inbound and outbound traffic to a group of machines or a single machine based on rules.
Automate access security
It's important to implement a strategy for automating access control to the ECS infrastructure. Amazon simplifies this process through its Identity and Access Management (IAM) service, which makes it easier to set up, manage and update roles to help secure ECS and other services.
The process of changing access keys is a best practice because it limits the amount of time that a compromised key can be used by hackers. When some applications are running outside of EC2, this must be performed programmatically and can sometimes cause applications to break.
It is also important not to use root access keys to make these changes. If this key is compromised, a hacker could essentially gain access to an enterprise's entire AWS infrastructure. Amazon has published some best practices for programmatically managing keys. IAM can do this automatically for EC2 applications and with fewer chances of an application going offline.
Audit container libraries
Containerized applications are generally constructed from existing software libraries to reduce coding time and enable business agility. While the majority of software libraries are secure, vulnerabilities are constantly being detected in many libraries, sometimes many years after the library has been published. For example, the Heartbleed, Poodle and Shellshock vulnerabilities were found after the underlying code was already in wide use.
As a result, the enterprise needs to develop a security policy around detecting these vulnerabilities and updating containers that contain them. This is not a trivial task, as new software libraries are not always compatible with other components used by the containers. Information on new vulnerabilities is published on common vulnerability and exposure (CVE) databases like the National Vulnerability Database, published by the National Institute of Standards and Technology (NIST).
Some tools can help automate the auditing process and make it easier to notify security personnel and developers when problems are detected. For example, Amazon has announced a partnership with Twistlock to automate Amazon registry of container images; this makes it easier to incorporate auditing into an organization's continuous integration process. Twistlock also offers the ability to monitor containers in operation to detect malicious activity.
Consider other approaches to secure ECS
CoreOS and Docker have also released scanners that compare the code in container instances against a database of known vulnerabilities. CoreOS released the Clair service, which compares container content against various CVE databases maintained by NIST, Red Hat, Ubuntu and Debian. Docker Content Trust is an implementation of the Notary open source software for certifying the validity of Docker images retrieved from public archives. The use of digital signing infrastructure prevents enterprises from downloading container images that hackers have compromised.
One practice is to regularly rebuild container images with the latest updates. But this can also create new problems with side effects and instabilities that could go unnoticed. Another practice is to analyze new images in real time on a regular basis using vulnerability scanners. But this requires implementing security into the development process. However, this is an important step if the developers modify libraries to improve application performance or implement new features.
One of the biggest challenges with cloud security is that it only takes one open door to compromise an enterprise. Automating the management of security keys, auditing containers and testing new code can all help close these doors. But organizations need to consider integrating security reviews into the development, operations and testing processes to mitigate the risk of security breaches.
EC2 Container Service has its kinks
Docker deployment saves time, headaches in test and dev