How can AWS EC2 Container Service improve Docker security? Are there additional security measures that should be...
in place to ensure safe Docker use?
Docker is an alternative to hypervisor-based virtual machines that allows easy migration of applications across platforms. This is a welcome relief for DevOps professionals who can now easily port an application developed on a Mac OS X platform to a production Linux server.
There are, however, security concerns with Docker.
The AWS EC2 Container Service is a cluster management system that streamlines the use of Docker images on a set of AWS instances. Since your applications will run on EC2 instances, you will have access to all the security controls generally available to those resources. This is important because there are significant limitations to securing the current versions of Docker.
Docker processes have root access to the file system, and this could be used to compromise the operations of other containers on the same server. According to reports, future versions of Docker will run processes with restricted privileges. In the meantime, AWS users can take advantage of security features to mitigate this risk.
AWS' Virtual Private Cloud (VPC) isolates compute and network resources within the AWS cloud. Cloud administrators can create multiple virtual private clouds as needed. Within each cloud, the cloud admin can create subnets, define IP addresses and configure router tables and gateways. Admins can set up additional controls -- such as security groups -- on machine instances to further restrict access to resources.
Administrators can also run Docker on dedicated instances. These instances run in a VPC on hardware that is used only by a single customer. Note, there are additional charges for dedicated instances.
Other AWS security controls can also be applied to instances running Docker. For example, security groups can be used to define rules controlling inbound and outbound traffic to and from a server. In addition, identity and access management roles can be assigned to instances; this allows instances to assume the privileges assigned to the role. Also, AWS access keys do not have to be passed programmatically to instances when roles are used; this helps mitigate the risk of exposing access keys and secret keys.
AWS EC2 Container Service will help reduce management overhead for organizations running a large number of Docker instances in the AWS cloud, but it does not eliminate the need to properly configure and secure instances, subnets and virtual private clouds.
Ask the Expert:
SearchCloudSecurity expert Dan Sullivan is ready to answer your application security questions -- submit them now. (All questions are anonymous.)
Dig Deeper on Cloud Computing Virtualization: Secure Multitenancy - Hypervisor Protection
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading