Pragmatic container security - DEM11-R - AWS re:Inforce 2019

© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Pragmatic Container Security
Jeffrey Westphal
Technical Director
Trend Micro
D E M 1 1 - R

“It worked on my machine”
…every developer ever

The problem
It’s hard to deploy an application
with all of it’s dependencies
The solution
Containers package the app and
it’s dependencies in a portable
format

“Containers provide the ability to
package and run an application in a
loosely isolated environment”
Docker Inc. on the idea behind containers

CVE-2019-5736runC container to host exploit

Data
Application
OS
Virtualization
Infrastructure
Physical
On-premises
(Traditional)
Data
Application
OS
Virtualization
Infrastructure
Physical
Infrastructure
(IaaS)
Data
Application
OS
Virtualization
Infrastructure
Physical
Container
(PaaS)
Data
Application
OS
Virtualization
Infrastructure
Physical
Abstract
(SaaS)
The Shared Responsibility Model
AWS’ responsibilityYour responsibility
Service configuration

Container
Environment
Tactics
• Container host
• Network
• Management stack
• Build pipeline
• Application foundation
• Application
Specific areas
Agenda

Development Environment
EC2 ECS Fargate
Container Hosts
ECR EKS Kubernetes
Orchestration Tools
Cloud9
Code Repo Jenkins CodeDeploy
CodePipeline
CI/CD Pipeline

EC2 ECS
Container Hosts
Production Environment
Registry Containers
Aurora
S3
ELB
WAF
API
Gateway
Fargate

Infrastructure
(IaaS)
Container
(PaaS)
Abstract
(SaaS)
The Shared Responsibility Model
EC2
ECS
Fargate

Amazon EC2
• Choose a container specific operating system
• These OS’ have reduced their attack surface by removing non-essential services in addition to some
performance gains
• Harden the operating system (NIST, SANS)
• Removing non-essential services, updating libraries and tools, making smart choices for
service configurations all lead to a strong foundation to build on
• Add logging and monitoring tools
• Container hosts are a critical aspect of your infrastructure, you need the right telemetry from the host in
order to continuously monitor their health and efficiency
Specific areas of focus

Amazon EC2
• Patch regularly
• Software updates often contain critical security patches and should be applied as quickly as possible
• Restrict the IAM role
• Apply the principle of least privilege
• Add critical security controls like application control, integrity
monitoring, anti-malware
• Using an “allow list” for applications that can be run on the host is highly effective given their specific
workloads. Similar integrity monitoring and anti-malware controls make sure any changes to the host are
expected and not malicious

Amazon ECS
• Same as EC2 for any AMI that meets the Amazon ECS AMI
specification
• Use one of the AWS provided AMIs as a starting point

AWS Fargate
• IAM policies and roles
• Runs on AWS-managed infrastructure, no Amazon EC2
instances to manage

Amazon Virtual Private Cloud (Amazon VPC)
• Turn on VPC flow logging
• This captures src, dst, timestamp, size, and other critical information used to monitor and troubleshoot
the network
• Security groups for tasks/instances
• Configure least privilege security groups for an EC2 instances or ECS/Fargate tasks in order to reduce their
network footprint
• Encrypt data in transit
• Leverage ALB and ELB functionality with the AWS Certificate Manager in order to use encrypted channels
where possible

• Use intrusion prevention controls on the EC2 instance
• Container aware intrusion prevention systems will help apply security controls to container network
traffic, regardless of whether or not it heads north/south
• Log inter-container traffic
• Failing to log network traffic between containers on the same host leaves gaps in your visibility of the
overall application
Amazon EC2 & ECS

• AWS WAF works on the edge stopping layer 7 attacks as far
away from your containers as possible
• This low cost service adds a strong preventative control to your applications with little to no effort on
your part
• Use managed rule from trusted APN partners or AWS labs
rules project
• Managed rules reduce your overhead and required domain specific knowledge
AWS WAF

• Amazon GuardDuty, finding low level network abuses
• The service scans VPC flow logs looking for actionable intelligence, it’s another aspect of your defence in
depth
Amazon GuardDuty

Amazon ECR
• Write permissions should be strongly policed
• Trust is a key part of a registry, limiting updates and the creation of new images will help reduce your
organizations exposure
• All images should be scanned for issues after any change
• Container images may contain known vulnerabilities, malware, or sensitive information that should not
be exposed, using a scanner to check for these issues before making the image available
• Systems, not people should access the registry
• Container images should be added post-scan after being built by a service. Similarly, a service or
automated tool should instantiate the images into a new container

Kubernetes
• Don’t run it if you don’t have to
• A managed service like EKS will significantly reduce your operational overhead and exposed attack
surface
• Restrict access to the management interface
• Make sure you have limited access to operational teams that require it and only those teams
• Follow the CIS Kubernetes benchmark for security
• Walk through the default configurations and customize to your requirements. Remember the principle of
least privilege
• Monitor your k8s deployment to ensure it stays in line with
CIS

Amazon EKS
• Set strong IAM policies to restrict access
• Control who can access the tool and when that access can occur
• Configure the security groups responsible for access to the
control plane
• Restrict and monitor usage of the control plane to ensure your deployment works as intended
• Leverage k8s’ native role-based access control
• Apply the principle of least privilege to ensure that access is limited to only where it is absolutely
necessary

Code*
• IAM roles and permissions
• Make sure to restrict access appropriately. No “Full Access” policies!
• Add scanning and sanity checks at appropriate stages
• Automating security steps like static code analysis, vulnerability scanning, malware scanning and secrets
management is key
• Add security tests alongside integration and unit tests
• Never assume, always verify. Adding security tests makes it simple to validate your security assumptions
each time a build is deployed
• If you are running your own pipeline, apply the same
principles as the EC2 section to those systems

• Deploy strong endpoint controls to developers workstations
• Phishing accounts for 92% of all malware infections and attackers are shifting focus to attack developers
in order to compromise the systems they build
• Educate developers on strong security coding practices and
help breakdown the barriers between teams
• Security traditionally struggles with getting controls built in and settles for “bolt on” controls which are
more expensive and less effective. Anything you can do to reduce the divide between teams will benefit
everyone involved
Developers

3rd Party Code
• Choose a framework that is actively maintained with a strong
security response workflow
• Make sure you are constantly monitoring the security status of the framework in order to evaluate the
risk of any known vulnerabilities
• Control the version of 3rd party libraries
• Make sure you cache the required versions of the libraries your application depends on. Don’t pull from
NPM/GitHub/etc. every time you build or deploy

Image Scanning
• Scan container images before publishing for vulnerabilities,
malware, non-compliant code and exposed secrets
• Before pushing a built container to a registry, verify that your containers are in the state you expect
• Mitigate any known vulnerabilities in source or downstream
• Not all issue need to be immediately resolved. Security vulnerabilities can be mitigated on the container
host if the appropriate control is in place and has the right rule configuration

Container Spec
• Reduce services and tools in the container itself
• Only deploy the minimal amount required to accomplish the task at hand. Try to align with the Unix
Philosophy: do one thing well
• Monitor port usage in containers
• Needlessly open ports are a security risk
• Track container requirements closely
• Explicitly define container requirements for network, compute, and security to ensure that they are being
met within the larger environment

…and only as intended
Make sure that systems work
as intended
The goal of cybersecurity

Container Security
• Container host
• Network
• Management stack
• Build pipeline
• Application foundation
• Application
6 areas to focus on…

Container-aware protection for your EC2
instances and ECS container hosts
Deep Security
Deep Security
Smart Check
Automated container image scanning to
detect vulnerabilties, malware, and
exposed secrets
Visit trendmicro.com/aws to learn more

Thank you!
Jeffrey Westphal
jeffrey_westphal@trendmicro.com

Pragmatic container security - DEM11-R - AWS re:Inforce 2019

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Pragmatic container security - DEM11-R - AWS re:Inforce 2019

Ähnlich wie Pragmatic container security - DEM11-R - AWS re:Inforce 2019 (20)

Mehr von Amazon Web Services

Mehr von Amazon Web Services (20)

Pragmatic container security - DEM11-R - AWS re:Inforce 2019