Securing Docker on AWS Docker on AWS Securing Docker on AWS Container Architecture – How to Secure? Physical Hardware Host OS Container Runtime Physical Hardware Host OS Container Runtime Physical Hardware Virtual Machine Manager Container Runtime 1 Guest OS 1 Guest OS 2 Container Runtime 2 Image A Image B Image C Registry Run MyApp (4x Image A, 2x Image B, 3x Image C) Container 1 Container 2 Container 3 Container 4 Container 5 Container 6 Container 7 Container 8 Container 9 Microservice A Microservice C Microservice B Orchestration 1. Deploy separate VMs or even physical hosts for separate workload types (i.e., PCI vs web traffic) 2. Bastion hosts, security groups 3. Keep kernel patches up-to-date… remember WannaCry ransomware? 4. Deploy a hardened and patched OS. 5. Need a container-specific mechanism that also takes into account image security – can’t use generic tools 6. Integrate with CI/CD pipeline 7. Understand networking implications 8. Embrace immutable infrastructures 9. Secure all five layers in diagram at right Docker Adoption & Container Lifetime = Need for Continuous Security OS containers are not inherently unsecure, but are being deployed unsecurely, driven by developers and a need for agility in service development and deployment. Security and risk management leaders must address container security issues around vulnerabilities, visibility, compromise and compliance. Continuous Security Assessment and Remediation for Hybrid Workloads CI/CD System 3: Commits Code Public or Private Registry 4: Sends signed images Staging 5: Triggers update 6: Pulls latest stable image Feedback Loop Feedback Loop Image Scanning Cavirin Benchmark Container Hardening inc. host, VM, and image CIS Benchmarks Production 8: Verified Container Deployed 2: Image assessed and corrected 7: Container assessed and corrected Optional: Rancher & Kubernetes Docker Content Trust EC2 Container Registry Public Registry Elastic Beanstalk EC2 w/ Docker EC2 Container Service CloudFormation Docker Datacenter Quick Start PCI DSS Quick Start CloudTrail 1: Pulls latest signed image Orchestration CIS Benchmark Direct Develop/Build Test/Modify Release/Production Best Practices Reduce Clutter Use Trusted Image Sign Images and Verify Enforce Secrets Management Network Segmentation User Authentication Operations Governance Intrusion Detection Container Orchestration Container Network Segmentation Container User Access Host operating System Container runtime environment