© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Security foundations for containers on AWS

Dan Pitman

D E M 5 4 - S

Principal Security Architect

Alert Logic, Inc.

Latest Research

A focus on security is vital

We’ll explore how AWS provides the tools for security success

£3 million

Primary contributor: Lost business

Cost of a breach

279 days

5% increase over 2018

Time to identify a breach is going up

51%of breaches

Also most expensive

Malicious attacks most common

Latest Research

Container use is up, and Kubernetes use is skyrocketing

SecDevOps over DevSecOps as a principle

>60%companies

Using or planning to use Amazon ECS or Amazon EKS

Container use is ever increasing

>40KContainer hosts foundaccessible on Shodan

Review of access is critical

Months Weeks Days Hours Minutes Minutes Hours Days Weeks Months

< Before the compromise After the compromise >Elapsed time

Two-thirds go undiscovered for months or more

Most compromises and data theft succeed in minutes or less

87%

68%

Co

mp

rom

ise

Breaches happen quickly and usually go undiscovered for months

There Is a Huge Upside to Getting It Right

THANK YOU

PAGE

TEMPLATE

Securing Your AWS Environment

Reduce Risk

Segregate containers: You can lower your overall risk exposure by establishing smaller groups of containers that don’t talk to one another

Limit host resources by container: A denial of service (DOS) attack on a container could deplete its host’s resources and consequently shut down the other containers supported by it

Remove static libraries and binaries: Be careful of containers that ship prepopulated with libraries and binaries you’ll never need to use—these can be used as a point of entry if you’re not careful

Increase Visibility

Map out container traffic: It’s important to start with a good understanding of the traffic you expect to see traveling North/South (from container to its host) and East/West (between containers) to help you better detect anomalies.

Monitor your traffic: Once you know what expected traffic looks like, you need a mechanism to monitor actual traffic so you can spot traffic mishaps. That’s where IDS comes in. When evaluating your options for a 3rd-party IDS solution, consider whether you need an integrated or sidecar solution.

IAM Policies & Roles

AWS Lambda function for DevOps release management modifying automatic scaling conditions

Auditor role with read-only rights

IAM roles for tasks in Amazon ECS

Amazon RDS logging permissions on Amazon S3

Use fine-grained IAM roles for service accounts in Amazon EKS

Tagging

Reliable tagging requires robust automation implementation to ensure actionable data

You can tag Amazon ECS tasks, services, task definitions, and clusters on creation, rolling them back if no tags were present

Use tagging to describe systems using version, business, and compliance–relevant taxonomy

Especially useful to create a fully managed, continuous deployment pipeline for container-based applications

AWSCodeCommit

Amazon Elastic Container Registry

AWSCodeBuild

AWS Lambda

Amazon Elastic Container Service

Developer

Logging & Audit

Many services, including Amazon ECS and Amazon EKS, log their actions to AWS CloudTrail, providing an effective real-time log of change and access

AWS CloudTrail and many other services send their logs to Amazon S3 or Amazon CloudWatch for analysis

Service APIs should be leveraged to provide inventory data

Put this data to work for threat detection and exposure management

TOOLING&

PROCESSES

Monitoring

Effective security monitoring depends on comprehensive network, system, and user visibility combined with expert curated content and adaptability of detection methods

Use the AWS security tooling and monitor AWS CloudTrail for threats against your environment

Use security technologies that understand containers and integrate natively where possible

Monitor intra-/inter-container traffic to get full visibility of threats

AWS Security Principles

• Implement a strong identity foundation

• Enable traceability

• Apply security at all layers

• Automate security best practices

• Protect data in transit and at rest

• Keep people away from data

• Prepare for security events

Uniquely Bringing Together a Set of Capabilities

Threat Intelligence, Vulnerability Research

& Analytics

Dozens of security researchers, data scientists, and security

engineers

Over 30 petabytes of customer data collected and analyzed

Building on over 15 years of managing threat

intelligence data

Industry Experts

150+ trained SOC analysts

Proprietary internal training program • Organically grow entry-

level analysts to security experts

• Enabling scalability to support rapid growth

Twice the industry average for security analyst retention

Alert Logic’s Platform Fabric Coverage

Hybrid protection, bothon premises and in cloud

environments

Including network, log data, and endpoint telemetry

Resources

E-books BrightTALK

AlertLogicTV @alertlogic

YouTube

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.