Building Secure Services using Containers

©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
Nathan Taber
June 2018
Building Secure Services Using
Containers

©2018, AmazonWebServices, Inc. or its Affiliates. All rights reserved.©2017, AmazonWebServices, Inc. or its Affiliates. All rights reserved.
Security in AWS

Shared Responsibility Model
AWSCUSTOMER
Responsible for
Security “of” the cloud
Responsible for
Security “in” the cloud
Network and Firewall Configuration
Identity & Access Management
Customer Data
Compute Storage Database Networking
Regions Availability Zones Edge Locations
Operating System
Applications Platform

Security Groups
• Everything in an AWS VPC is in at least one security group
• You can use a security group as both a source and destination for
security group rules
• Helps to handle the elasticity of a cloud environment without
resorting to complex network topologies with many subnets

IAM Roles and Policies
"Statement": [{
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:us-east-1:501381841826:dbuser:db-QM2ZETM6KG/appuser"
],
"Effect": "Allow"
}]
Assign SSO access to users and groups in
your corporate Microsoft Active Directory

Everything you can do security-wise on EC2
you can now do on Amazon ECS and Fargate

Customer Data
Operating System
Applications Platform
IAM Role and Network Interface per Task in ECS
In 2016 we launched the
capability to assign an IAM
role to each Task within ECS
At re:Invent 2017 we
launched the ability to have a
dedicated network interface
(ENI) and Security Group(s)
per Task

ECS on EC2 Shared Responsibility Model
AWSCUSTOMER
Customer Data
Operating System
Images ECS Config
Instance Scaling /
Capacity Mgmt.
ECS Scheduler /
Control Plane

Fargate Shared Responsibility Model
AWSCUSTOMER
Customer Data
Images ECS Config
Instance Scaling /
Capacity Mgmt.
ECS Scheduler /
Control Plane
Operating System

Security Benefits of Fargate
• We patch and maintain the underlying Linux and Docker
• You cannot ssh or docker exec onto anything
• All cross-container network traffic will go through the
Elastic Network Interface (ENI) and Security Group (SG)
• No privileged access to docker or the underlying host
• We never run one customer’s tasks/containers on the same
underlying Instance(s) as another
We do more, you do less.

Services / Mechanisms for Customer Responsibilities
AWSCUSTOMER
Customer Data
Images ECS Config
Instance Scaling /
Capacity Mgmt.
ECS Scheduler /
Control Plane
Operating System

Building security into the
service lifecycle

BUILD DEPLOY
SECURE
MONITOR

©2018, AmazonWebServices, Inc. or its affiliates. All rights reserved.
#Source Code
Def not_the_real_code:
if whitespace then:
indent++
else:
console.log(“generic
message”)
raise(null)
Merge Pull
Request
CI Pipeline
Automated
Build
Build process

Multi-stage Docker builds
# docker build .
FROM buildtools:v4.5
COPY ./src ./
# Build
RUN dotnet restore
RUN dotnet publish
WORKDIR bin/
CMD [“myapp”]

# docker build .
COPY ./src ./
# Build
RUN dotnet restore
RUN dotnet publish
WORKDIR bin/
CMD [“myapp”]
# docker run with volume
RUN dotnet restore
RUN dotnet package
# docker build .
FROM runtime:v1.1
COPY ./src/bin /app
WORKDIR /app/
CMD [“myapp”]

# docker build .
COPY ./src ./
# Build
RUN dotnet restore
RUN dotnet publish
WORKDIR bin/
CMD [“myapp”]
# docker run with volume
RUN dotnet restore
RUN dotnet package
# docker build .
FROM runtime:v1.1
COPY ./src/bin /app
WORKDIR /app/
CMD [“myapp”]
# docker build .
FROM buildtools:v4.5 as builder
RUN dotnet restore
RUN dotnet package
FROM runtime:v1.1 as tests
RUN testrunner
FROM runtime:v1.1
COPY --from=builder /src/bin
/app/
WORKDIR /app/CMD
[“myapp”]

Windows
instance
Ubuntu
Linux
Ubuntu
container
Alpine
container
ReadOnly
FS
The unit of deployment

Scan for known
vulnerabilities (CVEs)
• Debian, CentOS, NIST,
Ubuntu & other sources
• Integrate into your CI
pipeline
Other vendors
• May add pip / npm
modules
Image vulnerability scanning with clair

Docker image Amazon ECRCI Pipeline
Automated
Build
Build process

Security best practices for container images
• Do not store secrets in Container Images
• Use trusted base images such as Docker Hub official
• Do not put unnecessary tools in the container image
• Do not use generic tags like :latest – use something
unique and informative like the git commit ID
• Try to only run one process per container
• Consider embedding tools from our Container Security
partners Aqua and Twistlock for runtime security

DEPLOYBUILD
SECURE
MONITOR

Docker image Amazon ECR
clair
Amazon ECR
Deploy process - tagging

Amazon ECR
Deploy process - tagging
Dev
Prod
Staging:Dev:Staging:Prod

Tagging: Version And Environment

:latest

What actually gets deployed?
:Staging Task Definition:
• Container
• CPU+Memory
• Networking
• Volumes
Service Definition:
• A task definition
• # of containers
• Scaling metrics
• Load balancing

Amazon ECR
Triggering a deploy
:Staging
Deploy
function
Update Task
Definition

Amazon ECR
Triggering a deploy - to production
:Staging
Deploy
function
Update Task
Definition
2FA

Lambda Pseudocode
whitelist = get_account_whitelist()
if account in whitelist:
if account == ’test’ or ’staging’:
deploy()
if account == ‘prod’:
lookup_username()
duo_verify(username)
deploy()

Lambda Pseudocode
def deploy():
new_revision = aws.register_task_definition()
update_service(task = new_revision)
while true:
if current_deployment != yours:
raise error
if new_revisions_running == desired_count:
exit(success)
print new_revisions_running

Rolling deployment – to do
:v1.09 :v1.09 :v1.09 :v1.09
Production service Canary
:v1.21

Canary or “one-box” deployment
:v1.09 :v1.09 :v1.09 :v1.09
Production service Canary
:v1.21

Secrets Management
Parameter
Store
/staging/rds/secret-username
/staging/rds/secret-password
#container_start.sh
export env=‘staging’
aws ssm get-parameters-by-path $env
:staging

Updating The Underlying Instances
instances
Auto Scaling group
AMI
Current launch
configuration
Application Load Balancer

instances
Auto Scaling group
AMI
Current launch
configuration
New AMI
New launch
configuration

instances
Auto Scaling group
instances
AMI
Current launch
configuration
New AMI
New launch
configuration

Auto Scaling group
instances
AMI
Current launch
configuration
New AMI
New launch
configuration

MONITORBUILD
SECURE
DEPLOY

CloudWatch
Logs
Subscription
filter
Logging
{ "log-driver":
"awslogs",
"log-opts":
{”region":
"us-east-1"}
}

Monitoring - SysDig

Threat Detection - Amazon GuardDuty

Tools Summary
Hardening Bastille, SELinux,
AppArmour
Capabilities,
SELinux
Verification Amazon Inspector,
Security Best Practices
checklist
Docker Bench,
Clair
Monitoring &
reporting
Amazon Inspector,
Amazon GuardDuty
Falco, Sysdig,
CloudWatch Logs

Things To Think About
What’s my responsibility?
What’ going into each container image?
What’s my most appropriate tagging strategy?
What’s my optimal deployment strategy?
How do I monitor this when it’s deployed?

Thank you!

Building Secure Services using Containers

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Building Secure Services using Containers

Ähnlich wie Building Secure Services using Containers (20)

Mehr von Amazon Web Services

Mehr von Amazon Web Services (20)

Building Secure Services using Containers