Amazon Web Services (AWS) is a cloud services provider that offers storage, computing power, content delivery, and other functionality to organizations of all shapes and sizes. Amazon Web Services is designed for fast application design and deployment, along with the scalability and reliability Amazon is known for. Its products range from analytics and storage to blockchain and containers.
Containers on AWS are extremely popular because they provide a simple way to package, ship, and run applications. Security is essential to the success of a container strategy on AWS.
AWS responsibility vs. customer responsibility
AWS is responsible for the security of the cloud, including container infrastructure. For security in the cloud, it is up to each organization to set up proper protections for the contents of individual containers, data, and overall service configuration. Amazon’s Shared Responsibility Model clearly outlines where its responsibilities end and the company’s responsibility begins, laying out additional services that might be needed to ensure compliance and security.
Here are some factors to consider when securing your containers on AWS:
Protect your host
Protecting your container host operating system (OS) is critical to protecting your containers on AWS. Because multiple containers often share the same host, a breach to the host can potentially provide access to all containers on that host or even within your environment.
When you choose your host, you must apply access controls to each host and should also add your security and on-going monitoring tools. This ensures your hosts will run as you expect and that no post-deployment vulnerabilities have been introduced.
Consistently scan container images
It is crucial to regularly scan and analyze images, allowing only approved images during the build phase and only compliant images to run in production. Poorly configured images are among the easiest ways for attackers to gain entry into the network. AWS encourages customers to leverage partner solutions to provide container image scanning.
Software is also available that can verify the integrity, authenticity, and publication date of all images available on select registries.
Limit access and privileges
It might seem convenient to give developers administrator rights for quick task execution. This is one of the fastest ways to compromise your container and potentially the entire AWS environment. By controlling access to services and limiting the level of permissions granted for each job, you can greatly reduce the likelihood of a malicious attack from the inside.
It is important to remember to adjust individual access and privileges as employees’ roles within the company change or are eliminated altogether.
Safely store secrets
Secrets are passwords, certificates, API keys, or anything to which you want to tightly control access. These are designed for IT operations teams and developers to better build and run safer applications that keep sensitive information private and only accessible when needed by the exact container in order to operate.
Secrets can be stored safely via AWS Secrets Manager or an Identity and Access Management (IAM) policy to ensure that only approved users have access. These can also be administered by third-party secrets management providers.
In the end, the customer responsibility for AWS container security is only as strong as the steps that are taken to enforce it. By intentionally infusing security best practices into each phase of the container lifecycle, companies can be assured that all confidential and sensitive application data in the cloud is secure.