When building an application on Amazon Web Services (AWS), ensuring reliability, consistency, and rapid deployment is crucial. Containers play a key role in achieving this by packaging instructions into reusable digital objects. Without containers, running application components across different servers can be challenging. However, deploying containers comes with security risks that need to be addressed. Malicious actors can infiltrate containers, causing data breaches and disruptions.
At Fortra’s Alert Logic team, we emphasize the importance of understanding the architectural building blocks of container security. Containers have a life cycle that includes running, executing, and operating, and all these aspects must be considered for effective security.
It’s essential to protect more than just the container design; each container includes registry codes and configurations ready for deployment, forming a complete container ecosystem. Here are three ways to enhance your AWS container security.
Set Table Stakes for AWS Container Security
What are table stakes? Simply said, they are the minimum requirements for an application to do an effective job. Almost everyone uses them holistically, but often leave out certain essential components such as retaining containers for testing and communication instead of security.
When we discuss stakes, we mean the role or influence an existing process has within the container process you want to mimic and implement. If something is superfluous, it should take a backseat to other higher priority development issues.
Just be wary of rushing container collection and deployment. If you go full speed, you impact a large number of people and almost force them to mature as quickly as possible. Careful, iterative pathways are better. They allow everyone in the organization to get comfortable with AWS and understand that you’re never taking jobs away, but rather solving manual lifting. Since there’s also a lot of crossover between DevOps and security practices, automation is tougher to get right from the beginning unless it’s protected without too much strain or oversight.
Make Sure What’s Running Is Expected to Run
Container registries can be exposed to human errors and malicious behavior. One tweak can cause incalculable harm to the rest of your system downstream. Our security experts have seen examples of vulnerabilities within some orchestration platforms, such as a default insecure state where we’ve detected crypto jacket containers running crypto mining. This is great for an attacker because it’s a very direct route to a target’s finances.
Such attacks can arise from “sidecars,” which run alongside your workload, adding scripts on top of regular, functional platform requests. Therefore, you need to know what’s meant to be running without any interference and spot threats when they arise.
Time scanning is a useful tactic for analyzing container and host behavior. This tracks requests over a period of time and benchmarks them against expectations for every process. You’re interrogating whether there’s a normal state and if sudden changes could be malicious.
Understand the AWS Shared Responsibility Model
AWS container security duties are shared, but never equal. This divides some of the customers who approach us, although it’s crucial to undertake your responsibilities. AWS platforms such as EC2, EKS, and Fargate take on some of the security burden yet leave the rest in your hands.
Broadly, there are four areas to check: apps, hosts, LAN, and platform security. Customers tend to become more responsible for the first three, while AWS splits the role for the latter. You have plenty of options for protecting the platform on your end. For instance, one of the key things to consider is that most platforms work with AWS through API calls. Logging and monitoring are key. CloudTrail should be kept on and logs must be enabled and maintained on all systems and production environments. Even if you’re running a server list instead of a container, it’s important to know who’s talking to what and who requested it. Subsequently, don’t just lift and shift migration. Audit your system before moving to the cloud and try to find weaknesses.
Several themes persist on the hosting side, too. These include log analysis, threat detection, patch management, and tiered access privileges. Alert Logic’s AWS security solutions are well-placed to help set up and monitor host guards for containers, fulfilling more of your obligation in a security model.
Additional AWS Container Security Resources:
Container Security for Cloud, Hybrid, & On-Premises