Amazon Web Services (AWS) is a cloud services provider that offers storage, computing power, content delivery, and other functionality to organizations of all shapes and sizes. Amazon Web Services is designed for fast application design and deployment, along with the scalability and reliability Amazon is known for. Its products range from analytics and storage to blockchain and containers.
Containers on AWS are extremely popular, owing to the fact that they provide a simple way to package, ship, and then run applications. But what AWS offers in functionality for containers, it lacks in security.
AWS does not manage security
While AWS is responsible for the security of the cloud, it is up to each organization for the security in the cloud—setting up the proper protections of the contents of their individual containers, data, and overall service configuration. Amazon’s Shared Responsibility Model clearly outlines where its responsibilities end and the company’s begin, laying out the additional services that might be needed to ensure compliance and security.
Here are some factors to consider when securing your AWS containers:
- Root account
Protect your root account
On AWS, your root account is the administrative user who has complete access to all of the AWS services and resources available on the server, even those that can be considered critical to the system. Root can also be used to install and uninstall programs on the server and has access to all resources on the account.
This root account is highly privileged, and it should only be used to create the first user, and then the login information should be securely locked away. If there is an instance in which utilizing root is absolutely necessary, protections to access it should be even higher than multi-factor authentication.
Consistently scan container images
Although not offered by AWS, it is crucial to regularly scan and analyze images, allowing only approved images during the build phase and only compliant images to run in production. Poorly configured images are among the easiest ways for attackers to gain entry into the network.
Software is also available that can verify the integrity, authenticity, and publication date of all images available on select registries.
Limit access and privileges
Although it might seem convenient to give developers administrator rights for the quick execution of a task, this is one of the fastest ways to compromise your container and potentially even the entire AWS environment. By controlling access to services and limiting the amount of permissions granted for each job, you can greatly reduce the likelihood of a malicious attack from the inside.
It is important to remember to adjust individual access and privileges as employees’ roles within the company change or are eliminated altogether.
Safely store secrets
Secrets are considered anything whose access you want to tightly control, such as passwords, certificates, or API keys. These are designed for IT operations teams and developers so they can better build and run safer applications that keep sensitive information private and only accessible when needed by the exact container in order to operate.
Secrets can be stored safely on S3 with either an S3 (Simple Storage Service) bucket or an IAM (Identity and Access Management) policy to ensure that only approved users have access. These can also be administered by third-party secrets management providers.
In the end, AWS container security is only as strong as the steps that are taken to enforce it. By intentionally infusing security best practices into each phase of the container lifecycle, companies can be confident that all confidential and sensitive application data in the cloud is secure.