Weitere ähnliche Inhalte Ähnlich wie Building Secure Services using Containers Ähnlich wie Building Secure Services using Containers (20) Mehr von Amazon Web Services Mehr von Amazon Web Services (20) Building Secure Services using Containers3. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.©2017, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
Security in AWS
4. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
Shared Responsibility Model
AWSCUSTOMER
Responsible for
Security “of” the cloud
Responsible for
Security “in” the cloud
Network and Firewall Configuration
Identity & Access Management
Customer Data
Compute Storage Database Networking
Regions Availability Zones Edge Locations
Operating System
Applications Platform
5. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
Shared Responsibility Model
AWSCUSTOMER
Responsible for
Security “of” the cloud
Responsible for
Security “in” the cloud
Network and Firewall Configuration
Identity & Access Management
Customer Data
Compute Storage Database Networking
Regions Availability Zones Edge Locations
Operating System
Applications Platform
6. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
Security Groups
• Everything in an AWS VPC is in at least one security group
• You can use a security group as both a source and destination for
security group rules
• Helps to handle the elasticity of a cloud environment without
resorting to complex network topologies with many subnets
7. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
Shared Responsibility Model
AWSCUSTOMER
Responsible for
Security “of” the cloud
Responsible for
Security “in” the cloud
Network and Firewall Configuration
Identity & Access Management
Customer Data
Compute Storage Database Networking
Regions Availability Zones Edge Locations
Operating System
Applications Platform
8. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
IAM Roles and Policies
"Statement": [{
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:us-east-1:501381841826:dbuser:db-QM2ZETM6KG/appuser"
],
"Effect": "Allow"
}]
Assign SSO access to users and groups in
your corporate Microsoft Active Directory
9. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.©2017, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
Everything you can do security-wise on EC2
you can now do on Amazon ECS and Fargate
10. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
Network and Firewall Configuration
Identity & Access Management
Customer Data
Compute Storage Database Networking
Regions Availability Zones Edge Locations
Operating System
Applications Platform
IAM Role and Network Interface per Task in ECS
In 2016 we launched the
capability to assign an IAM
role to each Task within ECS
At re:Invent 2017 we
launched the ability to have a
dedicated network interface
(ENI) and Security Group(s)
per Task
11. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
ECS on EC2 Shared Responsibility Model
AWSCUSTOMER
Network and Firewall Configuration
Identity & Access Management
Customer Data
Compute Storage Database Networking
Regions Availability Zones Edge Locations
Operating System
Images ECS Config
Instance Scaling /
Capacity Mgmt.
ECS Scheduler /
Control Plane
12. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
Fargate Shared Responsibility Model
AWSCUSTOMER
Network and Firewall Configuration
Identity & Access Management
Customer Data
Compute Storage Database Networking
Regions Availability Zones Edge Locations
Images ECS Config
Instance Scaling /
Capacity Mgmt.
ECS Scheduler /
Control Plane
Operating System
13. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
Security Benefits of Fargate
• We patch and maintain the underlying Linux and Docker
• You cannot ssh or docker exec onto anything
• All cross-container network traffic will go through the
Elastic Network Interface (ENI) and Security Group (SG)
• No privileged access to docker or the underlying host
• We never run one customer’s tasks/containers on the same
underlying Instance(s) as another
We do more, you do less.
14. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
Services / Mechanisms for Customer Responsibilities
AWSCUSTOMER
Network and Firewall Configuration
Identity & Access Management
Customer Data
Compute Storage Database Networking
Regions Availability Zones Edge Locations
Images ECS Config
Instance Scaling /
Capacity Mgmt.
ECS Scheduler /
Control Plane
Operating System
15. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.©2017, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
Building security into the
service lifecycle
17. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
#Source Code
Def not_the_real_code:
if whitespace then:
indent++
else:
console.log(“generic
message”)
raise(null)
Merge Pull
Request
CI Pipeline
Automated
Build
Build process
18. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Multi-stage Docker builds
# docker build .
FROM buildtools:v4.5
COPY ./src ./
# Build
RUN dotnet restore
RUN dotnet publish
WORKDIR bin/
CMD [“myapp”]
19. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Multi-stage Docker builds
# docker build .
FROM buildtools:v4.5
COPY ./src ./
# Build
RUN dotnet restore
RUN dotnet publish
WORKDIR bin/
CMD [“myapp”]
# docker run with volume
FROM buildtools:v4.5
RUN dotnet restore
RUN dotnet package
# docker build .
FROM runtime:v1.1
COPY ./src/bin /app
WORKDIR /app/
CMD [“myapp”]
20. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Multi-stage Docker builds
# docker build .
FROM buildtools:v4.5
COPY ./src ./
# Build
RUN dotnet restore
RUN dotnet publish
WORKDIR bin/
CMD [“myapp”]
# docker run with volume
FROM buildtools:v4.5
RUN dotnet restore
RUN dotnet package
# docker build .
FROM runtime:v1.1
COPY ./src/bin /app
WORKDIR /app/
CMD [“myapp”]
# docker build .
FROM buildtools:v4.5 as builder
RUN dotnet restore
RUN dotnet package
FROM runtime:v1.1 as tests
RUN testrunner
FROM runtime:v1.1
COPY --from=builder /src/bin
/app/
WORKDIR /app/CMD
[“myapp”]
21. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Windows
instance
Ubuntu
Linux
Ubuntu
container
Alpine
container
ReadOnly
FS
The unit of deployment
22. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
#Source Code
Def not_the_real_code:
if whitespace then:
indent++
else:
console.log(“generic
message”)
raise(null)
Merge Pull
Request
CI Pipeline
Automated
Build
Build process
23. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Scan for known
vulnerabilities (CVEs)
• Debian, CentOS, NIST,
Ubuntu & other sources
• Integrate into your CI
pipeline
Other vendors
• May add pip / npm
modules
Image vulnerability scanning with clair
24. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Docker image Amazon ECRCI Pipeline
Automated
Build
Build process
25. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
Security best practices for container images
• Do not store secrets in Container Images
• Use trusted base images such as Docker Hub official
• Do not put unnecessary tools in the container image
• Do not use generic tags like :latest – use something
unique and informative like the git commit ID
• Try to only run one process per container
• Consider embedding tools from our Container Security
partners Aqua and Twistlock for runtime security
27. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Docker image Amazon ECR
clair
Amazon ECR
Deploy process - tagging
28. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Amazon ECR
Deploy process - tagging
Dev
Prod
Staging:Dev:Staging:Prod
29. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Tagging: Version And Environment
30. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
:latest
31. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
What actually gets deployed?
:Staging Task Definition:
• Container
• CPU+Memory
• Networking
• Volumes
Service Definition:
• A task definition
• # of containers
• Scaling metrics
• Load balancing
32. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Amazon ECR
Triggering a deploy
:Staging
Deploy
function
Update Task
Definition
33. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Amazon ECR
Triggering a deploy - to production
:Staging
Deploy
function
Update Task
Definition
2FA
34. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Lambda Pseudocode
whitelist = get_account_whitelist()
if account in whitelist:
if account == ’test’ or ’staging’:
deploy()
if account == ‘prod’:
lookup_username()
duo_verify(username)
deploy()
35. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Lambda Pseudocode
def deploy():
new_revision = aws.register_task_definition()
update_service(task = new_revision)
while true:
if current_deployment != yours:
raise error
if new_revisions_running == desired_count:
exit(success)
print new_revisions_running
36. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Rolling deployment – to do
:v1.09 :v1.09 :v1.09 :v1.09
Production service Canary
:v1.21
37. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Canary or “one-box” deployment
:v1.09 :v1.09 :v1.09 :v1.09
Production service Canary
:v1.21
38. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Secrets Management
Parameter
Store
/staging/rds/secret-username
/staging/rds/secret-password
#container_start.sh
export env=‘staging’
aws ssm get-parameters-by-path $env
:staging
39. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Updating The Underlying Instances
instances
Auto Scaling group
AMI
Current launch
configuration
Application Load Balancer
40. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Updating The Underlying Instances
instances
Auto Scaling group
AMI
Current launch
configuration
New AMI
New launch
configuration
Application Load Balancer
41. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Updating The Underlying Instances
instances
Auto Scaling group
instances
AMI
Current launch
configuration
New AMI
New launch
configuration
Application Load Balancer
42. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Updating The Underlying Instances
instances
Auto Scaling group
instances
AMI
Current launch
configuration
New AMI
New launch
configuration
Application Load Balancer
43. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Updating The Underlying Instances
instances
Auto Scaling group
instances
AMI
Current launch
configuration
New AMI
New launch
configuration
Application Load Balancer
44. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Updating The Underlying Instances
Auto Scaling group
instances
AMI
Current launch
configuration
New AMI
New launch
configuration
Application Load Balancer
46. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
CloudWatch
Logs
Subscription
filter
Logging
{ "log-driver":
"awslogs",
"log-opts":
{”region":
"us-east-1"}
}
47. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Monitoring - SysDig
48. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Monitoring - SysDig
49. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Monitoring - SysDig
50. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Threat Detection - Amazon GuardDuty
51. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Tools Summary
Hardening Bastille, SELinux,
AppArmour
Capabilities,
SELinux
Verification Amazon Inspector,
Security Best Practices
checklist
Docker Bench,
Clair
Monitoring &
reporting
Amazon Inspector,
Amazon GuardDuty
Falco, Sysdig,
CloudWatch Logs
52. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
Things To Think About
What’s my responsibility?
What’ going into each container image?
What’s my most appropriate tagging strategy?
What’s my optimal deployment strategy?
How do I monitor this when it’s deployed?
53. ©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.©2017, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
Thank you!