Best Practices for Container Security on AWS
Containers are superior to Virtual Machines (VM) in many aspects, including the benefits of being lightweight, easily scalable, highly portable, etc. AWS provides two primary container services i.e., Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Kubernetes Service (EKS). Although both ECS and EKS are growing in popularity but achieving security while using these services is relatively a new topic.
Morgan PerryApril 13, 2022 · 5 min read
This article will provide some tips to achieve security in a containerized environment, especially in Amazon ECS. Here are the section-wise tips :
- Follow the policy of least privileged access
Consider a scenario where a developer needs to stop a task periodically. You should create a policy that only permits that particular action. Always go for resource-level permissions (Amazon Resource Name (ARN)) when possible
- The cluster should serve as an administrative boundary
Create roles that are scoped to clusters and use the cluster as your primary administrative boundary.
- Create Pipelines
Creating pipelines to automate package and deploy applications onto Amazon ECS clusters will reduce the admin overhead and isolate end-users from Amazon ECS API.
- Use two-factor authentication for important actions
Suppose you are performing a critical operation like deleting a cluster. In that case, you can add an extra layer of security by creating a policy that enforces 2FA when you are performing a critical action. As mentioned above, the policy should specify the resources it is scoped for.
- ECS tasks should be assigned roles
Assigning each task a role aligns with the principle of least privileged access and allows for greater granular control over actions and resources.
Note that the role assigned to an EC2 instance on which the task is running is different than the role of the task itself (more info here).
- Expose only the ports that serve the application
Do not expose any other ports, except for SSH. Apply this principle to containers as well as the underlying machines. Implement whitelisting of IP’s/security groups where possible
- Create separate virtual networks for your containers
This will add a level of isolation that can reduce the attack surface.
- Use TLS to secure communication between services
Try to use TLS 1.3 to secure communication between services. TLS 1.2 will be deprecated soon. This process encrypts traffic and makes sure only authorized endpoints are allowed.
- Make as much use of VPCs, Security groups, network rules, firewall rules, etc. as you can to restrict communication between VMs, VPCs, and the Internet.
- Consider using AWS Systems Manager Parameter Store.
Parameter store is a secure, encrypted repository for configuration data management and secrets management. Do not save secrets in any file or code.
- Keep an eye on API keys and access/secret keys
Keep a close eye on unsafe API keys, secrets, etc. Remove any unused keys and try to rotate keys if possible.
- Use tools for secrets scanning
Some tools look for leaked credentials and other sensitive secrets in the container image. One of the examples is "gitLeaks", which is an open-source static analysis command-line tool used to detect hard-coded secrets like passwords, API keys, and tokens in local and GitHub repositories (private and public).
For PCI Compliance, follow the below tips:
- First, understand the flow of cardholder data (CHD) within the environment. The CHD flow will determine the applicability of the PCI DSS and will define the boundaries and components of a cardholder data environment.
- Avoid saving the full card number in your database. If needed, save only the last four digits.
- Web application penetration tests must include all vulnerabilities (SQLi, XSS, CSRF, etc.)
For HIPAA compliance, follow the below tips:
- PHI data should be encrypted in transit and at-rest when accessed by containers launched with Amazon ECS.
- Complete logging should also be enabled and all container logs should be directed to Amazon CloudWatch.
- You may deploy an overlay network (e.g., VNS3 or Weave Net) to ensure complete encryption of PHI data transferred between containers or provide a redundant encryption layer.
- Use a trusted repository of known good code.
Pulling anything directly from the internet (e.g. Docker Hub) may introduce security risks. AWS ECR is a good option as a secure image repository
- Sign and Verify Docker Images.
Signatures help track images to the people who signed them. This makes it difficult to substitute the signed image for a compromised one.
- Do not include sensitive data in Docker images
Use some secrets manager to save the secrets securely. In a local development environment, you can use ENV files, and in a production environment, you should use a managed service like AWS parameter store or secrets manager.
- Secure both host and container
The hosts that run the container management system should be as secure as the container itself. Assess the security of all components, scan vulnerabilities regularly, monitor threats and keep the system up to date.
- Ensure that audit logs are enabled and should be monitored for abnormal or unwanted actions, particularly for any authorization failures
- You can use DataDog for monitoring your containers. You can install the Datadog agent on every EC2 instance in your ECS cluster. Datadog’s Autodiscovery can be used in conjunction with ECS and Docker to automatically discover and monitor running tasks in your environment.
- Use Cloudwatch alarms in combination with SNS to receive alerts on important metrics e.g. network traffic, abnormal CPU spikes etc.
- Use AWS Fluent Bit image for container logging. This image provides the capability to route logs to Amazon CloudWatch with SNS as a destination. This image is available on ECR public image gallery (more info here)
- Make code scanning part of the CI/CD process
- Keep an eye on external vulnerabilities through dependency scanning
- Use image scanning to analyze container images. You can use ECR built-in image scanning feature too
- If you are using CloudFormation or Terraform, Use IaC scanning tools to validate the configuration of your infrastructure before it is created or updated.
- If you are making direct HTTPS API requests to AWS, you should sign those requests with temporary security credentials that you get from the AWS Security Token Service
Managing security in the containerized environment is not easy. In this article, we have shared crucial security tips which will help you secure your ECS clusters to a great extent. However, applying these security measures will need skilled resources having expertise in standard application security and containerized environment.
A Modern solution like Qovery can help you set up and manage containers with the desired level of security needs. If you are a startup with growing containerization needs but do not have the required expertise to manage ECS with the above security measures, then Qovery is the right fit for you.