This document discusses AWS cloud and container security. It provides background on containers and how they package code and dependencies. It then discusses key elements of container security like the container host, network isolation, and container contents. It introduces DevSecOps as integrating security practices into the DevOps process. Finally, it discusses monitoring threats inside container environments through network traffic, logs, and platform changes.
2. • C l o u d M i g r a t i o n
• A p p M o d e r n i z a t i o n
• D e v O p s A u t o m a t i o n
• C o s t O p t i m i z a t i o n
Oscar Moncada
Co-founder & CEO
• 9+Years of Experience with AWS
• 17+Years of Experience in Software
Engineering & IT
• 4 AWS Certifications
Kevin RisonChu
Co-Founder & CTO
• 13+Years of Experience with AWS
• 20+Years of Experience in Systems
Administration & IT
• 4 AWS Certifications
5. What Are Containers?
A container is a standard unit of software that packages up code and all its
dependencies so the application runs quickly and reliably from one computing
environment to another.
6. What Are Containers?
A container is a standard unit of software that packages up code and all its
dependencies so the application runs quickly and reliably from one computing
environment to another.
Containerized Application
7. Container Security
Container security is the protection of the integrity of containers. This includes
everything from the applications they hold to the infrastructure they rely on.
8. Container Security
K e y E l e m e n t s
• C o n t a i n e r H o s t
• N e t w o r k I s o l a t i o n
• B u i l d & D e p l o y m e n t
• C o n t a i n e r C o n t e n t s
Container security is the protection of the integrity of containers. This includes
everything from the applications they hold to the infrastructure they rely on.
11. DevSecOps
• O p e n S o u r c e T o o l s
• C o r e O S C l a i r
• A n c h o r e
C o m p l i a n c e & V u l n e r a b i l i t y A n a l y s i s
DevSecOps is the philosophy of integrating security practices within the DevOps
process.
12. DevSecOps
• A W S N a t i v e C o n t a i n e r I m a g e S c a n n i n g ( F r e e * )
• O p e n S o u r c e T o o l s
• C o r e O S C l a i r
• A n c h o r e
C o m p l i a n c e & V u l n e r a b i l i t y A n a l y s i s
DevSecOps is the philosophy of integrating security practices within the DevOps
process.
14. Container Content
• S o f t w a r e C o m p o s i t i o n A n a l y s i s ( S C A )
What runs inside the container is just as important as what the container runs on
D a n g e r s o f O p e n S o u r c e
15. Container Content
• S o f t w a r e C o m p o s i t i o n A n a l y s i s ( S C A )
• T o o l s
• S n y k . i o
• B l a c k D u c k
• I Q S e r v e r
What runs inside the container is just as important as what the container runs on
D a n g e r s o f O p e n S o u r c e
16. Monitoring Threats Inside
Your Environment
• C o n t a i n e r t o c o n t a i n e r n e t w o r k t r a f f i c
• C o n t a i n e r l o g d a t a
• A W S p l a t f o r m c h a n g e s
Container Host: It’s important to secure the host that the container is running on. Implement standard security practices such as hardening the operating system, minimizing the number of packages installed, and restricting access to it.
Container Contents: relates to what is actually running on the container
Network Isolation: You use network isolation to segregate pods inside a cluster.
Build & Deployment: relates to adding security to the container build and deployment process.
4 Ways to run containers on AWS: ECS, EKS, Fargate. Each has advantages and disadvantages depending on the level of control you want.
Network Isolation (EKS): Using Network Namespaces you can configure pods to get their own IP addresses and ports.
Fargate:
IAM:
Kubeaudit script from Shopify - helps you audit your Kubernetes clusters against common security controls
DevSecOps is basically integrating security in your DevOps process or making it part of your CI/CD pipeline.
Adding security to your DevOps process can help make sure your application meets security compliance requirements and it can help minimize the number of vulnerabilities in your application.
When running a large number of applications or containers it becomes really hard to keep track of compliance and finding vulnerabilities. Luckily there’s an app for everything… or tools. There’s open source tools such as CoreOS Clair and Anchore that can help you maintain security compliance and check for known vulnerabilities.
AWS has a relatively-new tool to help you scan container images for known vulnerabilities. It’s call AWS Native Container Image Scanning and it’s part of ECR.
Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open source CoreOS Clair project and provides you with a list of scan findings – checks vulnerabilities in packages in the Operating System
You can manually scan container images stored in Amazon ECR, or you can create automation to scan the images when they’re uploaded to the ECR repository.
Container image scanning is “free” but you can only scan images once per day so even if you build automation to scan your images they won’t be scanned more than once every 24 hours.
Kevin also mentioned how it’s important to secure the contents of your container. You want to make sure the contents of the container are secure and free from any known vulnerabilities.
One of the things we have to be very careful about is Open Source libraries. Open source libraries are used in most applications nowadays, from web servers such as Apache to application specific libraries for things like Machine Learning or Artificial Intelligence tasks.
Open Source software is great but like anything that is free, it can come with some gotchas.
Software Composition Analysis (SCA) is a relatively new industry term for a set of tools that provides users visibility into their open source inventory.
SCA can be used to look at every library in your code/software/API and the version of those libraries, to detect known vulnerabilities – it’s a good way to get rid of the low-hanging fruit when it comes to securing your open source libraries. It also allows you to create a Bill of Materials (BOM) of your application – which is a list of every library being used and their version
There’s a few tools you can use to run a Software Composition Analysis on your application such as Snyk.io, BlackDuck, and IQ Server.
These tools can help you find vulnerabilities as well as mitigate security and license compliance risks with your application.
Snyk.io – helps you find vulnerabilities in open source libraries
BlackDuck – helps mitigate security and license compliance risks with the open source code in your application
IQ Server: https://help.sonatype.com/iqserver
Another important part of security around containers is monitoring threats inside your environment.
Looking at things like container to container network traffic, container log data, and changes to the platform or AWS services the containers are running on are all important in order to secure your environment. These are all things you can do with the help of solutions like AlertLogic… so with that I will pass it on to Paul who is going to tell us more about using AlertLogic to secure your container environments.