0% found this document useful (0 votes)

12 views12 pages

AWS Security Notes

Uploaded by

atulmisal97

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

12 views12 pages

AWS Security Notes

Uploaded by

atulmisal97

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 12

Security

Best Practices
for
Containers
Importance of Container Security on AWS
Overview
Containers are becoming increasingly popular for building and deploying applications on
AWS. They provide a lightweight, portable and consistent environment for running
applications, which makes them a great choice for microservices, cloud-native applications
and continuous integration/continuous delivery (CI/CD) pipelines.

However, as with any technology, containers also bring their own set of security challenges.
Containers share the host operating system and kernel, which means that vulnerabilities in
the host can also affect the containers. Additionally, containers can be easily moved between
hosts, which makes it difficult to maintain consistent security policies.

Therefore, it is important to implement best practices and security controls to protect

containerized applications on AWS. This includes securing the container images, the host
operating system, and the network and runtime environment. Implementing these security
controls can help prevent unauthorized access, data breaches, and other security threats.

Overall, Container security on AWS is crucial to ensure the integrity and safety of the
application, as well as the data and resources that the application uses. This is especially
important for applications that handle sensitive data or are exposed to the internet.
Popular Container Services on AWS
Amazon ECS: Built-in security features:
Amazon Elastic Container Service (ECS) is a fully 1. IAM Roles for Service Accounts: ECS and EKS both use IAM roles to
provide permissions to the resources that the service uses. This allows
managed service provided by AWS for running
you to grant least privilege access to your resources and helps to
containerized applications. It allows you to easily
prevent unauthorized access.
run, scale, and orchestrate containerized 2. Automatic security group management: Both services automatically
applications using Docker and AWS infrastructure. manage security groups for the resources they create. This includes
ECS can be used to deploy and manage creating and managing security groups for the container instances
and load balancers, which helps to control ingress and egress traffic
applications on EC2 or AWS Fargate, which is a
to your containerized applications.
serverless compute engine for containers.
3. Network isolation: ECS and EKS both provide network isolation,
which helps to protect your containerized applications from
Amazon EKS:
unauthorized access and data breaches.
Amazon Elastic Kubernetes Service (EKS) is a fully 4. Automatic patching: ECS and EKS will automatically patch the
managed service provided by AWS for running underlying infrastructure to keep it up to date with the latest security
Kubernetes clusters. It allows you to easily run, updates.
5. Monitoring and logging: ECS and EKS both provide built-in
scale, and orchestrate containerized applications
monitoring and logging capabilities. This allows you to monitor the
using Kubernetes and AWS infrastructure.
performance and troubleshoot issues with your containerized
applications.
Best
Practices
Use Amazon Elastic Container Registry (ECR)
Amazon Elastic Container Registry (ECR) is a fully managed container registry service provided by AWS for storing, managing, and deploying container

images. It allows you to store, manage, and deploy Docker images on AWS.

Using ECR can help improve the security of your containerized applications on AWS by providing the following features:

1. Authentication and Authorization: ECR uses IAM for authentication and authorization. This allows you to control who can access your container images and

what actions they can perform.

2. Image Scanning: ECR integrates with Amazon Inspector for image scanning. This allows you to automatically scan your container images for vulnerabilities

and malware.

3. Image Signing: ECR supports image signing and scanning for image authenticity. This ensures that the images you deploy have not been tampered with and

come from a trusted source.

4. Image Immutability: ECR allows you to make an image repository immutable. This means that once an image is pushed to the repository, it cannot be

deleted or overwritten. This helps to prevent malicious actors from modifying or tampering with your container images.

5. Image Management: ECR allows you to manage container images throughout their lifecycle. This includes the ability to delete images, set image retention

policies, and monitor image usage.

By using ECR, you can improve the security of your containerized applications by authenticating and authorizing access to your container images, automatically

scanning for vulnerabilities, ensuring image authenticity, protecting images from tampering, and managing images throughout their lifecycle. Additionally, you

can also use ECR with ECS or EKS for deploying and running containerized applications in a secure way.
Use IAM Roles
Using IAM roles is an important security best practice for containerized applications on AWS. IAM roles allow you to grant least privilege access to yo

AWS resources and help to prevent unauthorized access.

Here are a few ways in which IAM roles can be used to secure containerized applications on AWS:

1. Granting access to resources: IAM roles can be used to grant access to specific resources such as ECR repositories, S3 buckets, and CloudWatch logs. T

allows you to control which resources your containerized applications can access and what actions they can perform on those resources.

2. Running tasks with IAM roles: Amazon ECS and Amazon EKS can use IAM roles for tasks and pods, which allows you to grant permissions to the resourc

that the containerized application uses. This helps to prevent unauthorized access to resources and helps to enforce the least privilege access.

3. Enabling cross-account access: IAM roles can be used to enable cross-account access between different AWS accounts. This allows you to share resourc

across accounts in a secure way without sharing credentials.

4. Managing access to AWS services: IAM roles can be used to manage access to AWS services such as AWS Fargate, Elastic Block Store (EBS), and Elas

File System (EFS). This allows you to control which services your containerized applications can access and what actions they can perform on those service

5. Using IAM roles for EC2 instances: IAM roles can be assigned to EC2 instances, which allows you to grant permissions to the resources that the instanc

use. This can be useful when running containerized applications on EC2 instances, as it allows you to grant the least privilege access to the instances a

their associated resources.

Use network segmentation and security groups
Using network segmentation and security groups is an important security best practice for containerized applications on AWS. Network segmentation allows

you to divide your network into smaller, isolated segments, which can help to limit the scope of a security incident and prevent unauthorized access. Security

groups allow you to control incoming and outgoing traffic to and from your resources, which can help to prevent unauthorized access and network-based

attacks.

Here are a few ways in which network segmentation and security groups can be used to secure containerized applications on AWS:

1. Isolate container networks: By using network segmentation, you can isolate the network traffic of your containerized applications from other parts of your

network. This can help to prevent unauthorized access and limit the scope of a security incident.

2. Control incoming and outgoing traffic: Security groups can be used to control incoming and outgoing traffic to and from your resources. This can help to prevent

unauthorized access and network-based attacks.

3. Limit access to specific ports: Security groups can be used to limit access to specific ports on your resources. This can help to prevent unauthorized access and

network-based attacks.

4. Use VPC endpoint for ECR: By using the Amazon VPC endpoint for Amazon Elastic Container Registry (ECR) you can route the traffic to ECR directly within the

Amazon VPC, without using the Internet. This can help to improve the security of your container images and prevent unauthorized access.

5. Implement Network Access Control Lists (NACLs) to further granularly control traffic to and from your VPC.

Implementing network segmentation and security groups can help to improve the security of your containerized applications on AWS by controlling access to your

resources and limiting the scope of security incidents.

Use Amazon CloudWatch Container Insights
Using Amazon CloudWatch Container Insights is an important security best practice for containerized applications on AWS. CloudWatch Container Insights

allows you to monitor and troubleshoot your containerized applications, which can help to detect and prevent security incidents.

Here are a few ways in which CloudWatch Container Insights can be used to secure containerized applications on AWS:

1. Monitor container performance: CloudWatch Container Insights allows you to monitor the performance of your containerized applications, which can help to

detect and prevent performance issues.

2. Collect and analyze log data: CloudWatch Container Insights allows you to collect and analyze log data from your containerized applications, which can help to

detect and troubleshoot security incidents.

3. Monitor resource usage: CloudWatch Container Insights allows you to monitor the resource usage of your containerized applications, which can help to detect and

prevent resource starvation.

4. Set up alarms for threshold breaches: CloudWatch Container Insights allows you to set up alarms for threshold breaches, which can help to detect and prevent

security incidents.

5. Monitor the ECS task and service health, this can help to detect and prevent security incidents.

By using CloudWatch Container Insights, you can gain visibility into the performance and resource usage of your containerized applications, which can help to

detect and prevent security incidents. This allows you to monitor your application's behavior in real-time and take action if any unexpected behavior is detected.
Keep images and host OS patched
Keeping images and host OS patched is an important security best practice for containerized applications on AWS. Keeping images and host OS

patched can help to prevent vulnerabilities and security incidents.

Here are a few ways in which keeping images and host OS patched can be used to secure containerized applications on AWS:

1. Update container images: By updating container images to the latest versions, you can ensure that your applications are running on the most recent,

secure version of the software. This can help to prevent vulnerabilities and security incidents.

2. Patch host OS: By patching the host OS, you can ensure that your applications are running on a secure, up-to-date operating system. This can help

to prevent vulnerabilities and security incidents.

3. Automate image updates: By automating image updates, you can ensure that your container images are always up to date and running on the most

recent, secure version of the software.

4. Use ECR Image Scanning, this allows you to automatically check for known vulnerabilities in your images, you can configure your registry to block

the images that have high or critical vulnerabilities from being pushed or pulled.

5. Use automated security scanning tools to scan for vulnerabilities in your images.

By keeping images and host OS patched, you can ensure that your containerized applications are running on a secure, up-to-date software stack,

which can help to prevent vulnerabilities and security incidents. This can also help to keep your infrastructure updated and more secure.
Use Secrets Management
Using secrets management is an important security best practice for containerized applications on AWS. Secrets management allows you to

securely store, manage, and rotate sensitive information such as passwords, keys, and certificates.

Here are a few ways in which secrets management can be used to secure containerized applications on AWS:

1. Use a secrets manager: AWS Secrets Manager allows you to securely store and manage sensitive information such as passwords, keys, and

certificates. This can help to prevent sensitive information from being stored in plaintext and help reduce the risk of security incidents.

2. Rotate secrets: By rotating secrets regularly, you can ensure that your sensitive information is always up-to-date and that any compromised secrets

are quickly replaced.

3. Use IAM roles to control access to secrets: By using IAM roles, you can control access to sensitive information stored in AWS Secrets Manager. This

can help to prevent unauthorized access and reduce the risk of security incidents.

4. Use encrypted environment variables: to store sensitive data, such as database credentials.

5. Use AWS Secrets Manager and Parameter Store to store and manage your containerized application's secrets, this allows you to manage access to

your secrets and rotate them automatically, reducing the risk of security incidents.

By using secrets management, you can securely store, manage, and rotate sensitive information, which can help to prevent security incidents and

protect sensitive data from unauthorized access.

Perform Security Scans Regularly
Performing security scans is an important security best practice for containerized applications on AWS. Security scans can help to identify

vulnerabilities in your containerized applications and provide guidance on how to remediate them.

Here are a few ways in which security scans can be used to secure containerized applications on AWS:

1. Use Amazon Inspector: Amazon Inspector is an automated security assessment service that helps you to identify vulnerabilities in your containerized

applications and provides guidance on how to remediate them.

2. Use AWS Container Security: AWS Container Security is a service that helps you to identify vulnerabilities in your container images and provides

guidance on how to remediate them.

3. Use AWS Security Hub: AWS Security Hub is a service that aggregates security findings from multiple AWS services, including Amazon Inspector and

AWS Container Security, and provides a central view of your security posture.

4. Use third-party tools: There are also several third-party security scanning tools, such as Aqua Security, Snyk, and Qualys, that can be used to scan your

containerized applications for vulnerabilities.

5. Use Amazon Elastic Container Registry (ECR) Image Scanning: ECR Image Scanning automatically scans your container images stored in ECR for

vulnerabilities and security best practices.

By performing security scans, you can identify vulnerabilities in your containerized applications and provide guidance on how to remediate them,

which can help to prevent security incidents and protect your containerized applications from attacks.
Thanks for attending
the session :)
In conclusion, securing containerized applications on AWS is
essential for protecting your data and infrastructure.

It is important to keep in mind that security is a process that

requires continuous monitoring and improvement, so it is
essential to regularly review and update your security practices
and stay informed about new threats and vulnerabilities.

By following these best practices and utilizing the security

features provided by AWS, you can help protect your
containerized applications from threats and ensure the security
of your data and infrastructure.

Follow on:
Sandip Das

@LearnTechWithSandip

Edge Trading Secret Final
93% (14)
Edge Trading Secret Final
80 pages
You and I (Will Travel Far Together)
100% (2)
You and I (Will Travel Far Together)
3 pages
Datadog AWSeBook ContainerizedApplications
No ratings yet
Datadog AWSeBook ContainerizedApplications
44 pages
AWS Fargate: Hybrid Deployment Machine Learning Batch Processing Web Applications
No ratings yet
AWS Fargate: Hybrid Deployment Machine Learning Batch Processing Web Applications
3 pages
Module3 - 3 - ECS & S3g
No ratings yet
Module3 - 3 - ECS & S3g
21 pages
Updated - TWC AWS Secure Config Review Draft Report March2025
No ratings yet
Updated - TWC AWS Secure Config Review Draft Report March2025
594 pages
Elastic Kubernetes Service in Practice: Definitive Reference for Developers and Engineers
From Everand
Elastic Kubernetes Service in Practice: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Amazon ECS Lab3
No ratings yet
Amazon ECS Lab3
7 pages
StrongerContainerSec AWS20
No ratings yet
StrongerContainerSec AWS20
10 pages
AWS Reinvent 2020
No ratings yet
AWS Reinvent 2020
37 pages
AWS Container Service
No ratings yet
AWS Container Service
5 pages
Unlock Digital Transformation by Modernizing With Containers
No ratings yet
Unlock Digital Transformation by Modernizing With Containers
10 pages
AWS Fargate
No ratings yet
AWS Fargate
4 pages
PF Aws Container Security Monitoring Guide
No ratings yet
PF Aws Container Security Monitoring Guide
50 pages
AWS Certified Solutions Architect - Associate Exam Prep kit
From Everand
AWS Certified Solutions Architect - Associate Exam Prep kit
SUJAN
No ratings yet
AWS Cheatsheet 1
No ratings yet
AWS Cheatsheet 1
5 pages
Lesson 10 Container Service
No ratings yet
Lesson 10 Container Service
45 pages
Week#10 (ECS)
No ratings yet
Week#10 (ECS)
24 pages
AWS Certified Data Engineer Associate Cheat Sheet
No ratings yet
AWS Certified Data Engineer Associate Cheat Sheet
54 pages
09 - AWS Handout
No ratings yet
09 - AWS Handout
27 pages
Cheat Sheet For CP Exam
No ratings yet
Cheat Sheet For CP Exam
9 pages
A Comprehensive Guide to Amazon Web Services
From Everand
A Comprehensive Guide to Amazon Web Services
Josh Luberisse
No ratings yet
CH 2
No ratings yet
CH 2
38 pages
Amazon ECS - Free AWS Cheat Sheets
No ratings yet
Amazon ECS - Free AWS Cheat Sheets
20 pages
Ecs Presentation
No ratings yet
Ecs Presentation
6 pages
Understanding What Is Amazon Elastic Container Service (ECS)
No ratings yet
Understanding What Is Amazon Elastic Container Service (ECS)
18 pages
Module 2 - Introduction To Amazon ECR
No ratings yet
Module 2 - Introduction To Amazon ECR
15 pages
Definitive Guide To Elastic Kubernetes Service (EKS) Security
No ratings yet
Definitive Guide To Elastic Kubernetes Service (EKS) Security
42 pages
Aws Clf-Co2 Qa
No ratings yet
Aws Clf-Co2 Qa
44 pages
Whitepaper Security Best Practices 2010
No ratings yet
Whitepaper Security Best Practices 2010
5 pages
Aws
No ratings yet
Aws
5 pages
Amazon EC2 Scenariod Base
No ratings yet
Amazon EC2 Scenariod Base
22 pages
AWS in ACTION Part -1: Real-world Solutions for Cloud Professionals
From Everand
AWS in ACTION Part -1: Real-world Solutions for Cloud Professionals
Poonam Devi
No ratings yet
Advanced Container Security - Jason Umiker - 28jun - Final
No ratings yet
Advanced Container Security - Jason Umiker - 28jun - Final
68 pages
About Kubernetes and Security Practices - Short Edition: First Edition, #1
From Everand
About Kubernetes and Security Practices - Short Edition: First Edition, #1
Ami Adi
No ratings yet
Aws Academy 6-10 Modules Notes
No ratings yet
Aws Academy 6-10 Modules Notes
33 pages
AWS Study Notes
No ratings yet
AWS Study Notes
30 pages
Experiment 10 CCL
No ratings yet
Experiment 10 CCL
20 pages
I. Amazon Elastic Compute Cloud (Amazon EC2)
No ratings yet
I. Amazon Elastic Compute Cloud (Amazon EC2)
16 pages
Ecs 2
No ratings yet
Ecs 2
2 pages
AWS CLI Essentials: A Beginner's Guide to Cloud Automation
From Everand
AWS CLI Essentials: A Beginner's Guide to Cloud Automation
Robert Johnson
No ratings yet
AquaSec ContainerSecurity BestPractices
No ratings yet
AquaSec ContainerSecurity BestPractices
11 pages
Bestpracticesguide
No ratings yet
Bestpracticesguide
101 pages
AWS Config
No ratings yet
AWS Config
10 pages
AWS Security Best Practices 2
No ratings yet
AWS Security Best Practices 2
33 pages
AWS Container Day A Journey To Modern App
No ratings yet
AWS Container Day A Journey To Modern App
60 pages
AWS Associate Architect: From basic to advanced
From Everand
AWS Associate Architect: From basic to advanced
Alex Carvalho
No ratings yet
Bestpracticesguide
No ratings yet
Bestpracticesguide
101 pages
Ec2 Class Notes
No ratings yet
Ec2 Class Notes
15 pages
AWS - ElasticContainer Services
No ratings yet
AWS - ElasticContainer Services
11 pages
AWS Sysops PDF
100% (2)
AWS Sysops PDF
138 pages
AWS Containers
No ratings yet
AWS Containers
12 pages
Amazon ECR Deployment Solutions: Definitive Reference for Developers and Engineers
From Everand
Amazon ECR Deployment Solutions: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
ECS DevelopersGuide
No ratings yet
ECS DevelopersGuide
396 pages
AWS Elastic Container Service ECS For DevOps Engineers 1729323535
No ratings yet
AWS Elastic Container Service ECS For DevOps Engineers 1729323535
6 pages
Module 04
No ratings yet
Module 04
54 pages
Aws Sysops Question 4
No ratings yet
Aws Sysops Question 4
119 pages
AWS SysOps Administrator Associate: From basic to advanced
From Everand
AWS SysOps Administrator Associate: From basic to advanced
Alex Carvalho
No ratings yet
05 DAY2 AWS-Services-DrillDowns
No ratings yet
05 DAY2 AWS-Services-DrillDowns
94 pages
10 Mins About Aws
No ratings yet
10 Mins About Aws
18 pages
Containers
No ratings yet
Containers
20 pages
Notes For AWS CP Bootcamp
No ratings yet
Notes For AWS CP Bootcamp
10 pages
Pme 826 Westcott Mod 1 Minor Task 2
No ratings yet
Pme 826 Westcott Mod 1 Minor Task 2
2 pages
#2 Lab Report Revised
No ratings yet
#2 Lab Report Revised
2 pages
574337014
No ratings yet
574337014
351 pages
Weather Modification Alberta Canada 1980 1985 Study
No ratings yet
Weather Modification Alberta Canada 1980 1985 Study
28 pages
Cooperative Rural Bank V Ferrer-Calleja PDF
No ratings yet
Cooperative Rural Bank V Ferrer-Calleja PDF
5 pages
Utility Bills Exercises
No ratings yet
Utility Bills Exercises
4 pages
Ethics and Culture: LIS 580: Spring 2006 Instructor-Michael Crandall
No ratings yet
Ethics and Culture: LIS 580: Spring 2006 Instructor-Michael Crandall
26 pages
Ecostruxure Control Expert With Topology Manager
100% (1)
Ecostruxure Control Expert With Topology Manager
11 pages
Why Use MPC Based Contact For - Bonded - Connections
No ratings yet
Why Use MPC Based Contact For - Bonded - Connections
5 pages
Construction Weekly Progress Report
No ratings yet
Construction Weekly Progress Report
1 page
Creating A Data Collection Form With Epicollect5
No ratings yet
Creating A Data Collection Form With Epicollect5
11 pages
Philippine Judicial Infrastructure: Gaining Momentum
No ratings yet
Philippine Judicial Infrastructure: Gaining Momentum
6 pages
About Injection Molding
No ratings yet
About Injection Molding
13 pages
ACTIVITY 1.2 - Match Up Challenge
No ratings yet
ACTIVITY 1.2 - Match Up Challenge
2 pages
BOQ Rates South
No ratings yet
BOQ Rates South
6 pages
Chapter 1
No ratings yet
Chapter 1
16 pages
Huawei ISO9001 ISO14001
No ratings yet
Huawei ISO9001 ISO14001
30 pages
Dissertation Au Bac
100% (2)
Dissertation Au Bac
7 pages
Ifrs 7 Financial Instruments Disclosures
No ratings yet
Ifrs 7 Financial Instruments Disclosures
70 pages
Anhvan12chuongtrinhglobalsuccess Thionlineunit9 Careerpaths
No ratings yet
Anhvan12chuongtrinhglobalsuccess Thionlineunit9 Careerpaths
3 pages
Fesco Online Billl
No ratings yet
Fesco Online Billl
1 page
DuPont Analysis
No ratings yet
DuPont Analysis
2 pages
Planner
No ratings yet
Planner
2 pages
Budget Exercise
No ratings yet
Budget Exercise
5 pages
Indicator Tape
No ratings yet
Indicator Tape
1 page
Article 1156: An Obligation Is A Juridical Necessity To Give, To Do, or Not To Do
No ratings yet
Article 1156: An Obligation Is A Juridical Necessity To Give, To Do, or Not To Do
4 pages
Olutasidenib 8
No ratings yet
Olutasidenib 8
18 pages
James Bond Spectre Torrent Online Movie
No ratings yet
James Bond Spectre Torrent Online Movie
2 pages