This document discusses container automation, security, and monitoring on AWS. It covers building container images using Docker multi-stage builds, scanning images for vulnerabilities, deploying containers with AWS CodePipeline and CodeBuild, managing secrets with AWS Systems Manager Parameter Store, monitoring containers with SysDig, and detecting threats with Amazon GuardDuty. The document emphasizes building secure and optimized container images, deploying and managing containers across environments, and monitoring container workloads for security and operations.

1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Richard Busby
Solutions Architect, Amazon Web Services
Peter Goodman
SRE Lead, PushPay
Advanced Container Automation,
Security, And Monitoring

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
According to noted thought leader Jane
Austen, it is a truth universally
acknowledged that a techie in possession of
any production code whatsoever must be in
want of a container platform.
- Bridget Kromhout

3. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CREATE DEPLOY MONITOR
SECURE

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
#Source Code
Def not_the_real_code:
if whitespace then:
indent++
else:
console.log(“generic message”)
raise(null)
Merge Pull
Request
AWS
CodePipeline
AWS
CodeBuild
Build Image
Build Process

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-stage Docker Builds
# docker build .
FROM buildtools:v4.5
COPY ./src ./
# Build
RUN dotnet restore
RUN dotnet publish
WORKDIR bin/
CMD [“myapp”]

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-stage Docker Builds
# docker run with volume
FROM buildtools:v4.5
RUN dotnet restore
RUN dotnet package
# docker build
FROM runtime:v1.1
COPY ./src/bin /app
WORKDIR /app/
CMD [“myapp”]
# docker build .
FROM buildtools:v4.5
COPY ./src ./
# Build
RUN dotnet restore
RUN dotnet publish
WORKDIR bin/
CMD [“myapp”]

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-stage Docker Builds
# docker run with volume
FROM buildtools:v4.5
RUN dotnet restore
RUN dotnet package
# docker build
FROM runtime:v1.1
COPY ./src/bin /app
WORKDIR /app/
CMD [“myapp”]
# docker build .
FROM buildtools:v4.5 as builder
RUN dotnet restore
RUN dotnet package
FROM runtime:v1.1 as tests
RUN testrunner
FROM runtime:v1.1
COPY --from=builder /src/bin /app/
WORKDIR /app/CMD
[“myapp”]
# docker build .
FROM buildtools:v4.5
COPY ./src ./
# Build
RUN dotnet restore
RUN dotnet publish
WORKDIR bin/
CMD [“myapp”]

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The Unit Of Deployment
Windows
instance
Ubuntu
Linux
Ubuntu
container
Alpine
container
ReadOnly
FS

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
#Source Code
Def not_the_real_code:
if whitespace then:
indent++
else:
console.log(“generic message”)
raise(null)
Merge Pull
Request
AWS
CodePipeline
AWS
CodeBuild
Build Process

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Image Vulnerability Scanning - Clair
Scan for known
vulnerabilities (CVEs)
• Debian, CentOS, NIST,
Ubuntu & other sources
• Integrate into your CI
pipeline
Other vendors
• May add pip / npm
modules

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Build Process
Docker image
Amazon ECRAWS
CodePipeline
AWS
CodeBuild

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DEPLOY MONITOR
SECURE
CREATE

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon ECR
cker image
Amazon ECR
clair

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon ECR
Dev
Staging
Prod
:Dev:Staging:Prod
Tagging

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tagging: Version And Environment

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
:latest

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon ECR
Dev
Staging
Prod
:Staging
Deploy Process
StagingDeploy
function
Update ECS
Task Definition

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Deploy
function
2FA
Update
Task Def
Deploy Process - Production

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lambda Pseudocode
whitelist = get_account_whitelist()
if account in whitelist:
if account == ’test’ or ’staging’:
deploy()
if account == ‘prod’:
lookup_username()
duo_verify(username)
deploy()

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lambda Pseudocode
def deploy():
new_revision = register_task_definition
update_service(task = new_revision)
while true:
if current_deployment != yours:
raise error
if new_revisions_running == desired_count:
exit(success)
print new_revisions_running

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon ECR
Staging:Staging
Secrets Management
Parameter
Store
/staging/rds/secret-username
/staging/rds/secret-password
export environment=‘staging’
aws ssm get-parameters-by-path $environment

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Staging
Network Segmentation
egress: squid
prod:
front-end
prod:
back-end
virtual private cloud virtual private cloud

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Updating The Underlying Instances
instances
Auto Scaling group
AMI
Current launch
configuration
Application Load Balancer

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Updating The Underlying Instances
instances
Auto Scaling group
AMI
Current launch
configuration
New AMI
New launch
configuration
Application Load Balancer

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Updating The Underlying Instances
instances
Auto Scaling group
instances
AMI
Current launch
configuration
New AMI
New launch
configuration
Application Load Balancer

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Updating The Underlying Instances
instances
Auto Scaling group
instances
AMI
Current launch
configuration
New AMI
New launch
configuration
Application Load Balancer

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Updating The Underlying Instances
instances
Auto Scaling group
instances
AMI
Current launch
configuration
New AMI
New launch
configuration
Application Load Balancer

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Updating The Underlying Instances
Auto Scaling group
instances
AMI
Current launch
configuration
New AMI
New launch
configuration
Application Load Balancer

30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
MONITORDEPLOY
SECURE
CREATE

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Logging
Amazon ECR
Staging:Staging
{ "log-driver":
"awslogs",
"log-opts":
{ "awslogs-region":
"us-east-1" }
}

32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Monitoring - SysDig

33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Monitoring - SysDig

34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Monitoring - SysDig

35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat Detection - Amazon GuardDuty

36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tools Summary
Hardening Bastille, SELinux,
AppArmour
Capabilities,
SELinux
Verification Amazon Inspector,
Security Best Practices
checklist
Docker Bench,
Clair
Monitoring &
reporting
Amazon Inspector,
Amazon GuardDuty
Falco, Sysdig

37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Things To Think About As You Walk To Your
Next Session
1. Think carefully about what goes into your image
2. Consider the most appropriate tagging strategy
3. What’s your optimal deployment strategy?
4. How do you monitor this when it’s deployed?

38. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Thank You!