Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How can AWS EC2 Container Service improve Docker security?

Expert Dan Sullivan outlines the security issues associated with Docker and explains how the AWS EC2 Container Service can help resolve them.

How can AWS EC2 Container Service improve Docker security? Are there additional security measures that should be...

in place to ensure safe Docker use?

Docker is an alternative to hypervisor-based virtual machines that allows easy migration of applications across platforms. This is a welcome relief for DevOps professionals who can now easily port an application developed on a Mac OS X platform to a production Linux server.

There are, however, security concerns with Docker.

The AWS EC2 Container Service is a cluster management system that streamlines the use of Docker images on a set of AWS instances. Since your applications will run on EC2 instances, you will have access to all the security controls generally available to those resources. This is important because there are significant limitations to securing the current versions of Docker.

Docker processes have root access to the file system, and this could be used to compromise the operations of other containers on the same server. According to reports, future versions of Docker will run processes with restricted privileges. In the meantime, AWS users can take advantage of security features to mitigate this risk.

AWS' Virtual Private Cloud (VPC) isolates compute and network resources within the AWS cloud. Cloud administrators can create multiple virtual private clouds as needed. Within each cloud, the cloud admin can create subnets, define IP addresses and configure router tables and gateways. Admins can set up additional controls -- such as security groups -- on machine instances to further restrict access to resources.

Administrators can also run Docker on dedicated instances. These instances run in a VPC on hardware that is used only by a single customer. Note, there are additional charges for dedicated instances.

Other AWS security controls can also be applied to instances running Docker. For example, security groups can be used to define rules controlling inbound and outbound traffic to and from a server. In addition, identity and access management roles can be assigned to instances; this allows instances to assume the privileges assigned to the role. Also, AWS access keys do not have to be passed programmatically to instances when roles are used; this helps mitigate the risk of exposing access keys and secret keys.

AWS EC2 Container Service will help reduce management overhead for organizations running a large number of Docker instances in the AWS cloud, but it does not eliminate the need to properly configure and secure instances, subnets and virtual private clouds.

Ask the Expert:
SearchCloudSecurity expert Dan Sullivan is ready to answer your application security questions -- submit them now. (All questions are anonymous.)

Next Steps

Read an introduction to Docker and its effect on enterprise security

This was last published in July 2015

Dig Deeper on Cloud Computing Virtualization: Secure Multitenancy - Hypervisor Protection

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Nice to know that future versions will support security. Wouldn't it be a good idea to have that from the beginning? Not to mention, wouldn't security from the get-go tend to be designed better than something that's bolted on afterwards?
Cancel
It’s not that Docker doesn’t support security. It does, and on many levels. The issue is that the Docker daemon requires root access to the server running the container. It’s also good to remember that a container is very different from a server. The typical Linux server needs to run several processes as root, such as SSH, cron, syslogd, network configuration tools, etc., whereas all of these tasks are handled by the infrastructure around the container.
Cancel
It will be interesting to see if they automate the security best practices as outlined by Docker's security team, as well as implementing some of the external tooling - http://www.thecloudcast.net/2015/06/the-cloudcast-199-docker-security.html
Cancel
That’s a great resource and I truly enjoyed hearing Docker’s security leads talk on the subject. I think they are right when they say the question should be “do containers reduce your organizational risk?” Thanks for sharing!
Cancel

-ADS BY GOOGLE

SearchSecurity

SearchCloudComputing

SearchAWS

SearchCloudApplications

SearchServerVirtualization

SearchVMware

ComputerWeekly.com

Close