DEV Community

Cover image for Automated Security Scanning for Docker Images on AWS
Sidra Saleem for SUDO Consultants

Posted on • Originally published at sudoconsultants.com

Automated Security Scanning for Docker Images on AWS

Introduction

Overview of Docker and Containerization

Docker is a platform that allows developers to package applications into sets of containers. These standardized units are inclusive of all software requirements such as code, runtime, system tools and libraries required to run the application. This has revolutionized modern software development, known as containerization. It provides consistency in app behavior throughout various environments from developer's local machine to production servers.

Containerization supports continuous integration and continuous deployment (CI/CD) pipelines in DevOps world. This ensures efficiency, scalability, and reliability. Containers package up applications along with all their dependencies ensuring they always run the same regardless of where they are deployed.

Importance of Security in Docker Images

Common Security Vulnerabilities in Docker Images

Docker images can have significant security vulnerabilities if not properly managed. Common issues include:

Outdated Packages: Containers might use software libraries and dependencies with known vulnerabilities.

Misconfigurations: Poor configurations like running containers as root can lead systems to be exposed to attacks.

Embedded Secrets: Hard coding secrets (like API keys) within images. Have you ever heard about hardcoding secrets (eg., API keys) into container’s code or files?

Potential Impacts of Insecure Docker Images

The consequence of deploying insecure Docker images is enormous. These include data breaches, service interruptions, unauthorized access, and potential compliance violations. Such security issues can erode customer trust and lead to financial and reputational damage.

AWS and Security

AWS’s Commitment to Security

Amazon Web Services (AWS) takes security very seriously. They offer numerous services and features to help protect data, control access, and provide compliance safeguards. AWS operates under the shared-responsibility model. In this responsibility model, AWS takes care of security issues in its cloud infrastructure, leaving customers the task of securing their own applications in the cloud.

Overview of AWS Services Related to Security

Here are some Amazon Web Services that help to improve security:

  • Amazon Inspector: This is an automatic security assessment service.
  • AWS Security Hub: Provides centralized security management and compliance checking.                                                                                                              
  • AWS Identity and Access Management (IAM): A service to manage user access and permissions.

Understanding Docker Image Security

Common Vulnerabilities in Docker Images

Types of Vulnerabilities

  • Outdated Packages

Old versions of software may mean that containers are left open to known vulnerabilities.

  • Misconfigurations

This could include wrong settings that lead to security risks, such as unnecessary ports open or running containers with far too many privileges.

  • Hidden in Plain Sight

If an image is compromised, hardcoded credentials can easily be exploited.

Examples of High-Profile Security Incidents

There are multiple high-profile security incidents that indicate the necessity of hardening Docker images.

  • Tesla Cloud Breach: Exploited an exposed Kubernetes console to mine for cryptocurrency back in 2018.
  • The Bug in Alpine Linux: A critical bug found in the Alpine Linux Docker image that left the root accounts without passwords and opened the system to potential attacks.

Best Practices for Docker Image Security

Building Minimal Images

The attack surface is minimized in a minimal image, since it contains only essential components. Tools like DockerSlim help to automate this process of minimizing images.

Regularly Updating Base Images

Do update the base images sometimes to have the latest security patches. Trusted repositories will further enhance the security.

Using Official Images from Trusted Sources

Always source images from an official or verified repository. In this way, the risk of utilizing images that include malware or other vulnerabilities is mitigated.

AWS Services for Security Scanning

Amazon ECR (Elastic Container Registry)

Overview of Amazon ECR

Amazon ECR is a fully managed Docker container registry provided by AWS to store, manage, and deploy Docker container images. Amazon ECR Security Scanning securely and scalable stores container images with automated integration into various AWS services.

Features Related to Security Scanning

These are basically the in-built vulnerability scanning features that come along with Amazon ECR. It is done by the AWS Security Hub and Amazon Inspector. ECR scans the images as they are being pushed into the registry, with detailed findings that will enable developers to act upon security issues in advance of deployment.

Amazon Inspector

Introduction to Amazon Inspector

Amazon Inspector is an automated security assessment service, which automatically assesses the deployed application and its many use cases for vulnerabilities, deviations of best practices, or exposure to potential security breaches.

How It Integrates with Docker Images

To scan Docker images for known vulnerabilities, Amazon Inspector provides actionable insights that can be integrated into development workflows to enhance security.

AWS Security Hub

Role of AWS Security Hub in Managing and Monitoring Security Alerts

The role that AWS Security Hub plays is that it gives the user an all-encompassing view regarding security alerts and compliance status in any account under AWS. It aggregates results from different AWS services like Amazon Inspector, Amazon ECR, etc., and provides a central dashboard to manage security alerts.

Integration with Other AWS Services for a Comprehensive Security Overview

Other features include integration with Amazon Inspector, Amazon GuardDuty, AWS Config, and others, giving a consolidated view in security management that allows for automation and streamlining of security operations.

Setting Up Automated Security Scanning

Pre-requisites

AWS Account Setup

You need to ensure you have an AWS account with the appropriate permissions required to access and configure services like Amazon ECR, Amazon Inspector, and AWS Security Hub.

Necessary Permissions and Roles

Create IAM roles with permissions for ECR, Inspector, and Security Hub. For example, the below IAM policy grants required permissions for ECR scanning:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Action": [

        "ecr:DescribeRepositories",

        "ecr:DescribeImages",

        "ecr:BatchCheckLayerAvailability",

        "ecr:GetDownloadUrlForLayer",

        "ecr:BatchGetImage",

        "ecr:InitiateLayerUpload",

        "ecr:UploadLayerPart",

        "ecr:CompleteLayerUpload",

        "ecr:PutImage",

        "ecr:DescribeImageScanFindings"

      ],

      "Resource": "*"

    }

  ]

}

Configuring Amazon ECR for Security Scanning

Steps to Enable Image Scanning in Amazon ECR

Create an ECR Repository:

aws ecr create-repository --repository-name my-repo

Enable Image Scanning:

aws ecr put-image-scanning-configuration --repository-name my-repo --image-scanning-configuration scanOnPush=true

Managing Scan Results and Interpreting Findings

Retrieve scan findings with the below-mentioned command:

aws ecr describe-image-scan-findings --repository-name my-repo --image-id imageTag=latest

Integrating Amazon Inspector

Setting Up Amazon Inspector to Scan Docker Images

Create an Assessment Target:

aws inspector create-assessment-target --assessment-target-name MyTarget --resource-group-arn arn:aws:resource-groups:group/my-group

Create an Assessment Template:

aws inspector create-assessment-template --assessment-template-name MyTemplate --assessment-target-arn arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq --duration-in-seconds 3600 --rules-package-arns "arn:aws:inspector:us-west-2:123456789012:rulespackage/0-0kFIPusq"

Start an Assessment Run:

aws inspector start-assessment-run --assessment-template-arn arn:aws:inspector:us-west-2:123456789012:template/0-0kFIPusq

Automating the Inspection Process Through AWS Lambda or Other Services

Automate the inspection process by triggering AWS Lambda functions based on events when images are pushed to ECR. The Lambda function will then automatically run an assessment with Amazon Inspector.

Utilizing AWS Security Hub for Alerts and Reports

Configuring AWS Security Hub

Enable Security Hub:

aws securityhub enable-security-hub

Integrate Findings from Other Services

Ensure that the findings from Amazon Inspector and ECR are automatically integrated with Security Hub.

Integrating Scan Results from Amazon ECR and Amazon Inspector

Security Hub aggregates the scan findings from these services into a centralized view. Using the console or AWS CLI to review findings and taking further actions if necessary.

Continuous Security Integration in CI/CD Pipelines

Overview of CI/CD and Security Integration

Importance of Integrating Security Checks into CI/CD Pipelines

Integrating security scans with CI/CD pipelines ensures vulnerabilities are identified at an early development stage, thus minimizing risks associated with deploying insecure applications.

Benefits of Early Vulnerability Detection

Early detection will save time and cost associated with fixing security issues post-deployment. It also ensures security standards are adhered to right from the beginning.

Setting Up a CI/CD Pipeline with AWS CodePipeline

Introduction to AWS CodePipeline

AWS CodePipeline is an AWS continuous integration and continuous delivery service that automates the build, test and deploy phases of your release process.

Basic Pipeline Setup for Building and Deploying Docker Images

Create a CodePipeline

aws codepipeline create-pipeline --pipeline <pipeline-config-file>

Pipeline Configuration

The configuration file (e.g., pipeline-config-file.json) should describe stages for source, build, test (including security scans), and deploy.

Integrating Security Scans in the Pipeline

Adding Security Scanning Stages to the Pipeline

Add stages in the pipeline configuration to scan Docker images using ECR and Inspector.

{

  "stages": [

    {

      "name": "Source",

      "actions": [

        {

          "name": "SourceAction",

          "actionTypeId": {

            "category": "Source",

            "owner": "AWS",

            "provider": "CodeCommit",

            "version": "1"

          },

          "configuration": {

            "RepositoryName": "MyRepo",

            "BranchName": "main"

          },

          "outputArtifacts": [

            {

              "name": "SourceOutput"

            }

          ]

        }

      ]

    },

    {

      "name": "Build",

      "actions": [

        {

          "name": "BuildAction",

          "actionTypeId": {

            "category": "Build",

            "owner": "AWS",

            "provider": "CodeBuild",

            "version": "1"

          },

          "configuration": {

            "ProjectName": "MyBuildProject"

          },

          "inputArtifacts": [

            {

              "name": "SourceOutput"

            }

          ],

          "outputArtifacts": [

            {

              "name": "BuildOutput"

            }

          ]

        }

      ]

    },

    {

      "name": "SecurityScan",

      "actions": [

        {

          "name": "SecurityScanAction",

          "actionTypeId": {

            "category": "Invoke",

            "owner": "AWS",

            "provider": "Lambda",

            "version": "1"

          },

          "configuration": {

            "FunctionName": "MySecurityScanFunction"

          },

          "inputArtifacts": [

            {

              "name": "BuildOutput"

            }

          ],

          "outputArtifacts": []

        }

      ]

    },

    {

      "name": "Deploy",

      "actions": [

        {

          "name": "DeployAction",

          "actionTypeId": {

            "category": "Deploy",

            "owner": "AWS",

            "provider": "ECS",

            "version": "1"

          },

          "configuration": {

            "ClusterName": "MyCluster",

            "ServiceName": "MyService"

          },

          "inputArtifacts": [

            {

              "name": "BuildOutput"

            }

          ]

        }

      ]

    }

  ]

}

Automating Actions Based on Scan Results

Configure the pipeline to stop deployments if vulnerabilities are detected and only secure images are allowed to proceed to production.

Advanced Topics and Best Practices

Using Third-Party Tools

Overview of Third-Party Security Tools Compatible with AWS

There are several third-party tools that may be used to enhance the effectiveness of security scanning:

  • Aqua Security: a fully supported platform for container security
  • Twistlock: A solution for vulnerability management and runtime protection.
  • Clair: An open-source solution for static analysis of vulnerabilities in application containers.

Integrating Third-Party Tools with AWS Services

These third-party tools can be integrated directly within the AWS environments using APIs, CI/CD pipelines, or directly within the AWS services to enable improved security capabilities.

Monitoring and Incident Response

Setting Up Alerts and Notifications for Security Incidents

Use AWS CloudWatch and SNS to configure real-time alerts in the occurrence of security incidents. An example would be to create a CloudWatch rule for ECR findings:

{

  "detail-type": [

    "ECR Image Scan"

  ],

  "source": [

    "aws.ecr"

  ],

  "detail": {

    "scan-status": [

      "COMPLETE"

    ]

  }

}

Best Practices for Incident Response and Remediation

Develop a plan of response in case of:

  • Immediate Isolation: Isolate the compromised containers.
  • Investigation: Analyzing the incident to find root causes.
  • Remediation: Apply patches and updates, reconfigure security settings.
  • Documentation: Document the incident and response actions for future reference.

Compliance and Reporting

Ensuring Compliance with Security Standards

The team maintains compliance to various security standards, including CIS benchmarks and PCI-DSS, using the above tools—AWS Config and Security Hub. Periodic auditing and automated checks ensure continuous compliance.

Generating and Managing Security Reports

Security reports can be created in detail using the tools from AWS. The Security Hub provides detailed compliance reports, and Inspector provides findings in detail along with remediation suggestions.

Case Study: Implementing Automated Security Scanning in a Real-World Scenario

Background and Requirements

The fintech company requires a secure CI/CD pipeline for their microservices architecture. Some of the current key challenges include:

  • Ensuring that no Docker image has vulnerabilities before getting to deployment
  • Industry security standards
  • Automation of the security scanning process as part of the CI/CD pipeline.

Solution Design and Implementation

Detailed Steps of Designing the Automated Security Scanning Solution

  • ECR Setup with Security Scanning: Enable scan-on-push for all repositories.
  • Inspector Integration: Automate security assessments for Docker images.
  • Security Hub Configuration: Centralize all security findings and compliance checks.
  • CI/CD Pipeline Integration: Include stages for security scanning in the CodePipeline.

Implementation Details, Including Configurations and Scripts

  • ECR and Inspector Integration: Utilize Lambda to trigger Inspector scans with an image push event.
  • Pipeline Configuration: Update pipeline JSON to account for security scan stages.
  • Security Hub Configuration: Enable and configure Security Hub to aggregate findings.

Results and Lessons Learned

Outcomes of Implementing the Solution

  • More Secure: Early identification of vulnerabilities decreased security incidents by 80%.
  • Compliance: Always remained compliant with industry standards.
  • Automation: The need for manual intervention was drastically reduced, saving both time and resources.

Lessons Learned and Recommendations for Other Organizations

  • Proactive Monitoring: Monitor security findings at regular intervals and act proactively.
  • Continuous Improvement: Continually revisit and refine security practices.
  • Employee Training: All team members must be trained on the best practices about security.

Conclusion

Scanning security on Docker images by automation for AWS is crucial for maintaining secure and compliant applications. Major relevant services offered by AWS include ECR, Inspector, and Security Hub, all of which contribute to this part. New container security trends involve better algorithms that detect threats and deeper integration of AI toward the prediction and prevention of vulnerabilities. Enhance the security and compliance of your implementations by adding automated security scanning to your Docker workflows today. Leverage AWS services to build a robust, scalable security solution.

Top comments (0)