Containers are increasingly being adopted and deployed on cloud platforms like Amazon Web Services (AWS). Services like Amazon Elastic Container Registry (ECR) and Amazon Elastic Container Service (ECS) are already accredited and available in both AWS East/West and AWS GovCloud regions. The Amazon Elastic Kubernetes Service (EKS) service is currently in assessment by a 3PAO and will be accredited shortly and will eventually be available in AWS GovCloud as well. Implementing a robust container security strategy is essential to meeting FedRAMP, FISMA and CMMC requirements based on the NIST SP 800-53 specified controls. stackArmor has been helping organizations meet their NIST compliance requirements on AWS and has developed a systematic playbook for container security and compliance. Docker container security and compliance strategies must cover vulnerability management, continuous monitoring as well as encryption requirements with FIPS 140-2 accredited modules. This blog post covers key elements of container security and provides insights into commonly used tools as well.
Static Docker Container Image Scanning
Static scanning of docker images is performed in environments prior to deployments to provide developers with feedback on detected vulnerabilities prior to launching or deploying a container. OS packages in container images are scanned for Common Vulnerabilities and Exposures (CVEs), a public list of known security threats. There is a wide variety of solutions available to perform such scans including cloud-native services like Amazon ECR which is FedRAMP accredited and available in AWS East/West and AWS GovCloud regions. There are other options available as well including anchore amongst others.
Dynamic or Runtime Scanning
Dynamic scanning is performed in a runtime environment as part of the continuous monitoring requirements, so it’s possible to identify vulnerabilities for containers running in test, QA, or production environments, making is possible to catch vulnerabilities introduced by software installed post-build as well as zero-days. There are several available solutions including both open source and commercial services including CNCF Falco or Trend Micro amongst others.
Container Image Signing
Container image signing helps secure developed containers as they flow within the deployment and production pipelines with multiple teams and complex processes. Container image signatures provide a digital fingerprint that can be cryptographically tested to verify trust. CNCF Notary is a solution implementation for image signing amongst others.
Container Digital Supply Chain Management
The container supply chain is the series of steps performed when writing, testing, packaging, and distributing docker containers. Commonly used technologies in this space include CNCF in-toto or Grafeas.
Sensitive Data Management
Containers need data to operate and function especially parameters and configuration information such as database passwords or API keys etc. Managing such sensitive data requires using encryption. AWS offers two managed services – AWS Systems Manager Parameter Store and AWS Secrets Manager.
We work closely with the various AWS teams to incorporate best practices and latest trends. Here are two blogs that are related to Container security providing great insights. The most recent one is by Michael Hausenblas who published the results of a recent container security survey.
Also, the recent container security blog on the scanning services provided by ECR has helpful content.