Building in containers offers amazing benefits for development teams – speed, agility, flexibility, scalability, etc. Despite their powerful use cases, orchestrating containers at scale can be difficult, and may be unmanageable or impractical for your infrastructure team.
Fortunately, AWS Fargate takes the load of orchestration off your infrastructure team. It is a serverless compute engine for containers that works with both Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS), allowing development teams to focus on building applications while AWS manages and provisions the servers.
But what if you need to do something in a container running in Fargate? Today, AWS has the answer for this need with the release of Amazon ECS Exec. AWS has made a simple way for Amazon ECS customers to execute commands in a container running on Amazon EC2 instances or AWS Fargate. This functionality now applies to both Amazon ECS EC2 and Amazon ECS Fargate.
Amazon ECS Exec lets you interact with processes in containers, debug and troubleshoot, or collect diagnostic information from a container, even though your team isn’t managing the infrastructure.
This is a super powerful tool, and you know what they say, “With great power comes great responsibility.” That’s where Trend Micro comes in, helping to ease this burden of responsibility. New rules in Cloud One – Conformity offer additional governance and oversight to help customers manage their use of this capability.
With the launch today, Cloud One – Conformity has added SSM Session Length to ensure that any session using this feature does not remain active for longer than the time period designated in the rule settings. If a session is left inactive, it will time out and log you off – no worries. But, use of this tool for a long time could be the result of suspicious activity.
For example, you might execute a command that bundles a bunch of logs and sends it somewhere else, then you leave Amazon ECS Exec and look at the logs elsewhere. Most use cases addressed by this functionality are fairly quick. If a session is actively used for hours, it is likely being used in a way that was not intended.
Additionally, a second Cloud One – Conformity rule will be coming soon, Approved Execute Command Access. This will ensure that all access to ECS Exec is approved based on IAM. The rule will have an allow list for the ARN of the IAM resources allowed to use the feature, so if any ARN accesses ECS Exec that is not on the allow list, it will flag in the Cloud One – Conformity console.
How permissions are set across AWS services allows for a lot of flexibility, which could mean certain ARNs that don’t need access to this functionality have access due to other permissions settings.
One of the Cloud One – Conformity developers who worked on these rules said, “When AWS Session Manager came out for Amazon EC2, a lot of people had full access to instances, way more than they should have, based on permissions from somewhere else in the customer’s AWS environment.”
AWS is built well and secure. Service configurations and permissions give organizations the flexibility to manage incredibly granular permissions, but can create opportunities for gaps between teams or deployments. Cloud One – Conformity has more than 750 rules to ensure your AWS environment is configured securely, optimized for cost, and meets any compliance requirements for your organization.