Container security tools do more than just detect security issues. They ensure that everything in your container is running as expected including having needed security protection. The process of verifying securing containers requires a continuous scanning and pen testing while verifying the container host, image, and expected network traffic permissions. Monitoring the integrity of the build of CI/CD pipeline of containers, image and application deployment, also becomes the foundation for container security.
AWS Containers
Amazon Web Services is a cloud services provider that offers storage, computing power, content delivery, and other functionality to organizations of all shapes and sizes. Amazon Web Services is designed for fast application design and deployment, along with the scalability and reliability Amazon is known for. Its products range from analytics and storage to blockchain and containers.
Containers on AWS are extremely popular because they provide a simple way to package, ship, and run applications. Security is essential to the success of a container strategy on AWS.
AWS responsibility vs. customer responsibility
AWS is responsible for the security of the cloud, including container infrastructure and their provisioning services. Clients can choose however to run their own kubernetes instance and deploy their own containers within the AWS cloud VPC.
For security in the cloud, it is up to each organization to set up proper protections for the contents of individual containers, data, and overall service configuration. Amazon’s Shared Responsibility Model outlines where its responsibilities end and the company’s responsibility begins.
Consistently scan and pen testing container images
The first continuous step in container security is regularly scanning and analyzing images. Images can change over time with updates to the Linux kernel and underlying applications within the container. Containers, similar to virtual machines, will get updated from time to time. During these update windows, scanning and pen testing of the container image is highly recommended.
- Poorly configured images are among the easiest ways for attackers to gain into the cloud VPC. AWS encourages tenants to leverage 3rd party companies to provide container image scanning and pen testing.
Securing AWS containers
For tenants that leverage the AWS elastic container service, Amazon already enabled many compliance and security adaptive controls within the initial container image. AWS will deliver a deployed container from their hosted control kubernetes instance. Clients may not have access to the Amazon Elastic container console. AWS provides a shared responsibility model where the container control plane is under the control of AWS, not the tenant. While tenant created nodes and workloads are the responsibility of the tenant, not AWS.
Security
Amazon elastic container service is a powerful platform that can help you automate Kubernetes resources. However, this automation does not include security. To ensure the security of your container operations, the tenant needs to implement security on their own.
Securing Kubernetes requires automated monitoring with properly configured tools. It also recommends continuous monitoring, logging, and testing of traffic between containers, pods, and nodes.
AWS offers 210 different security, compliance and governance features. It provides strong security isolation between containers, ensures you are using the latest security updates, and allows you to set granular permissions for each container.
Even when you’re working with container images from reliable sources, it’s crucial to check the security of each image and its layers. Use the Common Vulnerabilities and Exposures list and CVE Details to verify that installed applications are free from known and unpatched vulnerabilities.
When should tenants consider pen testing their containers within AWS?
Tenants should pen test their containers prior to initial production release, and then after each major release and/or on an annual basis. The container security after the initial deployment from AWS elastic service is a joint responsibility between Amazon and the tenant. The tenant does have the option to pen test and vulnerability scans against the deployed containers within their VPC. However, the tenant does not have the ability to pen test the AWS elastic container service. Similar to other control plane services from AWS cloud enablement, tenants are not permitted to pen test this platform.
When should the tenant engage a 3rd pen testing team for container validation?
Pen test should be done prior to the image being deployed along with after changes or updates to the container. It is highly recommended that the tenants also pen test any containers that become turned up as a result of adding additional resources to an existing workload due to production load increases. A pen test would also be prudent after container resources have been spun down once the capacity issue has subsided. This engagement will validate if the production container has returned to steady state after the removal of other resources have been completed.
The following security risk areas within the container platform tenants should leverage 3rd party pen testing teams:
- Container compromise—misconfigured or unprotected applications enable attackers to gain access to containers. Once inside, attackers can exploit weaknesses in network connections, process controls, or file systems.
- Unauthorized connections—attackers can use compromised containers to connect to other clusters. These connections can be used to laterally traverse east west attack vectors in and outside the VPC.
- Data exfiltration—attackers may use power shell or other malware to tunnel through networks or connect to control servers. This grants the access needed to access and exfiltrate sensitive data.
Why consider enabling your own Kubernetes platform when deploying containers within AWS.
DevOps are usually responsible for creating and deploying containers, not SECOPS. DEVOPS uses continuous integration and continuous delivery, often called CI/CD pipelines to keep the fast pace of business that you’re used to and to keep up with the competition and customer demand. But if security isn’t part of this process, you could quickly leave yourself open to risk.
- DevOps aren’t security trained experts.
Having the kubernetes environment in-house, this allows SECOPS to run pen tests against the entire container image creation and deployment workstream including workloads that cover code updates and spinning up of new services.
During these critical functions within the container deployment, this is a more likely entry point for hackers to compromise the VPC cloud platform. Having the ability to run full pen testing gives the tenant a higher degree of confidence that the container platform is more secure than relying on the cloud providers to handle the initial deployment.
Engaging the 3rd pen testing prior to enabling kubernetes prior to deploying containers will ensure the entire image creation, testing, deployment, and activation workstream can not be compromised by a hacker. Ensuring the safe delivery of the container to the correct Cloud provider and VPC is a critical test the 3rd party pen testers can verify. The pen tester also can validate the entire spinning up and spinning down of containers along with image updates is performed in a secure matter.
