Uncover hidden risks

Watch how the Wiz platform can expose unseen risks in your cloud environment without drowning your team in alerts.

AWS containers: Fundamentals and best practices

At their core, containers encapsulate the application code and runtime, system tools, dependencies, and settings that enable it to operate in the same way across multiple environments.

7 min read

What are containers?

In this modern era of cloud computing, containers play an important role in revolutionizing the way we develop, deploy, and manage applications. As isolated environments, containers provide a portable solution to package an app with all its dependencies into a single unit that can run across multiple computing environments in a deterministic way.

At their core, containers encapsulate the application code and runtime, system tools, dependencies, and settings that enable it to operate in the same way across multiple environments. In contrast to virtual machines (VMs), which have their own operating system, containers share the same host operating system’s kernel. This makes containers lightweight with less bootstrap time. It also facilitates fast development, scalability, and increased flexibility when developing microservices architecture and cloud-native applications.

Containers in AWS

As a cloud provider, Amazon offers two main services that let you run or orchestrate containerized workloads: Elastic Container Service (ECS) and Elastic Kubernetes Service (EKS). 

ECS is a fully managed solution that provides a secure, scalable, and reliable way to orchestrate containers. Within ECS, users can run containers using AWS Fargate or EC2. AWS Fargate gives users a fully managed solution to run their containerized workloads, while EC2 gives you control over the underlying infrastructure.

EKS is also a fully managed service, but it allows users to run containerized workloads on Kubernetes

When choosing between ECS and EKS, you’ll need to consider your budget, application requirements, familiarity with Kubernetes, etc. In short, if you’re looking for a managed service with better integration with other AWS services, choose ECS. But if you want more control, flexibility, and the benefit of the Kubernetes ecosystem, then go with EKS.

Amazon also offers Elastic Container Registry (ECR) for managing the storage and encryption of container images. ECR stores images in a compressed format and lets users share them securely via an HTTPS connection.

Figure 1: Simple representation of container services in AWS

What is container orchestration?

With the rise in microservices architecture, the development and deployment of scalable containerized apps have grown extensively. In a distributed system, multiple containers need to be managed, scaled, and orchestrated with minimum human intervention. Performing these tasks manually, like in a production environment, is cumbersome and error-prone. 

In response, container orchestration platforms started emerging that offered automated solutions to deploy and manage containers at scale. Some of the most important features included service discovery, rolling deployments, automatic load balancing, and autoscaling. But it was Google’s 2014 release of the open-source Kubernetes project that really shaped how modern container orchestration platforms work. 

Today, platforms such as Docker Swarm, Amazon ECS, Amazon EKS, and Kubernetes are widely used by organizations for container orchestration. These solutions streamline and efficiently run production workloads across single or multiple cloud-native environments.

ECS as a container orchestration tool

Amazon ECS is the native container orchestration platform for AWS. Aside from its smooth integration with other AWS services, some key features include:

  • Managed clusters: As a managed service, ECS simplifies the handling of containers by abstracting the underlying infrastructure. It can automatically provision and scale clusters depending on the running workload.

  • Task definition: ECS uses a declarative way of specifying container configurations, network settings, and resource requirements, usually in a YAML format. These definitions act as a blueprint and enable ECS to maintain a desired state according to the specified configuration, ensuring consistency and reliability.

  • Service definition: A service is a higher-level construct that allows users to run and maintain a desired number of task instances simultaneously. To define a service, you need to specify the task definition, the desired number of tasks, configurations for deployment strategies, load balancing, autoscaling, etc.

  • Security: Amazon ECS integrates identity and access management (IAM) to provide a fine-grained access control mechanism for secured container operations and data protection.

  • AWS service integration: As noted, ECS enjoys effortless integration with other AWS services including Elastic Load Balancing, AWS CloudFormation, Amazon IAM, and Amazon CloudWatch. This enables a comprehensive container orchestration and monitoring solution within your AWS ecosystem.

How Kubernetes helps with container orchestration

As an open-source container orchestration platform, Kubernetes automates the deployment, scaling, and management of containerized apps. It provides a unified, cloud-agnostic platform for running container workloads across hybrid and multi-cloud environments. 

With a declarative configuration style via YAML files, a.k.a manifest files, it ensures applications run reliably and efficiently with self-healing capabilities. Some other key features of Kubernetes include:

  • Rolling updates and rollbacks: This allows users to deploy and update applications in production with zero or no downtime. In case of any issues, Kubernetes automatically rolls back to the previous working version, ensuring application stability.

  • Health checks: Kubernetes continuously monitors the status of pods using probes. Readiness probes determine if the pod is ready to accept traffic, while liveness probes detect if a pod is unhealthy and needs a restart.

  • Load balancing: The platform provides a service endpoint for all its pods within the same service, abstracting away the pod endpoints. K8s automatically load-balances traffic across multiple pods using its service discovery and ensures optimal performance and reliability.

  • Storage orchestration: Although pods are ephemeral, there’s built-in support for dynamically provisioning and mounting storage volumes to pods. This enables stateful applications to persist data across multiple pods without the risk of losing data when a pod restarts.

  • Extensibility and open-source ecosystem: With a vibrant open-source community, Kubernetes is highly extensible and configurable via numerous third-party operators. For example, Helm, a package manager for Kubernetes, takes care of application packaging, version and dependency management, templating, etc.

Container runtime and security

To run containers, you need a container runtime, which is responsible for the execution and management of containers on the host operating system. It is primarily responsible for: 

  • Creating and executing the container images in isolation

  • Pulling and storing images from a registry

  • Managing the container lifecycle

  • Networking

  • Security and monitoring

Some examples of popular container runtimes are Docker Engine, containerd, CRI-O, Rocket, and crun.

Dealing with container runtime security is often a challenge in production environments, as both the runtime and images are prone to vulnerabilities and attacks. Although not an exhaustive list, some common security concerns for container runtime are highlighted below.

Kernel vulnerabilities

Since containers share the kernel of the host operating system, they’re prone to kernel-level vulnerabilities. Hackers can exploit these in one container, leading to other containers running on the same OS being compromised as well.

Image vulnerabilities

Sometimes container images have a vulnerable dependency that an attacker may leverage during runtime to execute malicious code or compromise other containers. 

Insecure configuration

Allowing improper access control or using root users in containers increases the attack surface of container images. A hacker can take over administrative privileges from such a configuration and gain unauthorized access or disrupt other applications.

To mitigate the above challenges, developers have to make sure the runtime and all other associated components are up-to-date with the latest security patches. The right strategies, proper use of security tools, and best practices are key to keeping your container runtimes secure and healthy. Container security scanning, runtime monitoring, vulnerability management, and access control mechanisms will all help reduce the probability of security breaches.

AWS solutions for enhancing container runtime security

There are several solutions for monitoring container runtime security within the AWS ecosystem:

  • ECS security groups: Like every other service in AWS, ECS allows users to define strict groups to control inbound and outbound traffic to the container instances.

  • EKS network policies: EKS facilitates Kubernetes NetworkPolicies, which enable users to define fine-grained access and network control for pods and services. This lets you isolate container workloads and reduce the potential attack surface.

  • Amazon ECR image scanning: When users push container images to the registry, ECR automatically scans them for vulnerabilities and security issues. You can also integrate scanning as a part of your continuous integration (CI) pipeline to review images before they’re pushed to the registry.

  • Amazon ECR image lifecycle policies: ECR can periodically scan older unused images and automatically clean them. Implementing such policies helps reduce the risk of security vulnerabilities due to outdated or unpatched container images.

  • AWS IAM access control: By leveraging IAM, users can enforce the principle of least privilege to restrict permissions to containerized workloads, thus limiting the scope of unauthorized access and potential security breaches.

By leveraging the above solutions, you can enhance the cloud security posture of your container runtimes within the AWS environment, mitigating risks and ensuring the integrity of your containerized workloads.

Future trends and considerations

The landscape of container security and orchestration has been continuously evolving over the years, and the ever-changing needs and challenges of cloud-native applications reflect this. Below, we cover some of the major trends we’re seeing today.

Zero trust security

Zero trust security essentially says that no user or service, whether internal or external, should be trusted by default. This is generally adopted by applying stricter access policies regardless of the user’s location or network position. In the case of a container being hacked, the attacker will have less surface to exploit other containers in the network laterally.

Shift-left security

Shifting your security left entails implementing security checks early on in the software development lifecycle. This can be implemented using container scanning methodologies within CI tools that help identify and mitigate container vulnerabilities, IaC configurations, OS dependencies, etc. during the development stage. 

As a last line of defense, Kubernetes also provides an admission controller, which acts as an interceptor for validating and processing requests to the API server. It ensures that the submitted request doesn’t contain any malicious information and adheres to the standards or constraints set by the administrator.

Policy-as-code

Tools such as Kubernetes Policy Controller or Open Policy Agent help define and enforce security policies using a declarative configuration. This enables automated policy enforcement, compliance checks, and governance across your production workloads.

Container vulnerability management

More and more, companies are having to adopt robust vulnerability management. This means implementing a solution for continuously detecting, preventing, and remediating vulnerabilities in a production environment.

Conclusion

Containers are an inevitable part of modern cloud-native microservice architecture, and AWS offers multiple solutions to deploy and run containerized workloads, including Elastic Container Service and Elastic Kubernetes Service. These container orchestration platforms provide a control plane to run multiple container instances parallelly in a distributed environment. But to keep your platform healthy and secure, it’s essential that you also implement proper container security best practices and detect vulnerabilities as early as possible.

Led by an experienced and visionary team, Wiz helps users secure their container runtime in cloud environments, not only for AWS but also other cloud providers such as Google Cloud Platform, Azure, and Linode. Solutions like Wiz Runtime Sensor detect threats in real-time for containerized workloads. 

Learn more about Wiz’s cross-cloud container and Kubernetes security to identify and prevent attacks in your cloud environment.

Agentless Full Stack coverage of your AWS Workloads in minutes

Learn why CISOs at the fastest growing companies choose Wiz to help secure their AWS environments.

Get a demo

Continue reading

Azure Security Risks & Mitigation Steps

Wiz Experts Team

This article offers an extensive examination of Azure environments’ most pressing security risks along with suggested approaches for effectively mitigating these challenges.

Remote Code Execution Attacks Explained

Wiz Experts Team

Remote code execution refers to a security vulnerability through which malicious actors can remotely run code on your systems or servers.

Cloud Sprawl Explained

Wiz Experts Team

Cloud sprawl is a phenomenon that involves the unmanaged growth of cloud-based resources and services.

CSPM vs DSPM: Why You Need Both

Wiz Experts Team

Discover the similarities between CSPM and DSPM, what factors set them apart, and which one is the best choice for your organization’s needs.

Container monitoring explained

Container monitoring is the process of collecting, analyzing, and reporting metrics and data related to the performance and health of containerized applications and their hosting environments.

Data Exfiltration Explained

Wiz Experts Team

Data exfiltration is when sensitive data is accessed without authorization or stolen. Just like any data breach, it can lead to financial loss, reputational damage, and business disruptions.