Choosing solutions for container security on AWS.



Even the best security measures can’t prevent all security incidents. With the right tools, you can detect and respond to incidents quickly. The problem is not anymore that you have no tools at hand but that you have too many. How do you choose the right one?

Eliciting Requirements

The Task - nonfunctional requirements

An application needs data from the internal network. Because of the licensing restrictions, it is impossible to deploy using different AWS accounts. The application should run on containers in the AWS cloud.

The main requirement is that 24x7 operational monitoring detects possible problems and alerts a SOC team. The SOC team should be able to react to incidents and get a detailed overview of the application’s security status.

This is a tiny little bit simplified to show the decision process.

Breakdown of requirements

ID  Requirement
1  Containerized application
2  Single AWS account deployment
3  24x7 operational monitoring
4  Detailed overview of security status
5  Alerting the SOC team

So many options

cake

So, as an AWS builder, you have many presents on a birthday. You have many options to choose from, but you have to choose wisely.

Container

The main philosophical battle for running containers on AWS is using EKS, which stands for Kubernetes or ECS. If you just look at the pros and cons, it becomes simple at first glance.

Feature  EKS  ECS
Cost  High  Low
Existing knowledge  High  High
Complexity  High  Low
Running multiple workloads  Yes  No
Container Start time  Low  High

Making decisions based on such a table is fundamentally wrong and leads to wrong decisions. You have to add the weighing of the feature anditsits applicability.

And the features should be measurable with a defined metric.

Let’s add the missing data and discuss one point as an example:

Feature  EKS  ECS  Weight  Applicable
Cost  High  Low  20%  Yes
Exsting knowledge  High  High  50%  Yes
Complexity  High  Low  30%  Yes
Running multipe workloads  Yes  No  0  No
Container Start time  Low  High  0  No

So, first, let’s look at the cost. EKS costs about $80 per month just for the management nodes. ECS does not need extra EC2 instances.

But in most projects, 80$ a month is neglectable. So the cost is no factor. With knowledge of both technologies, this factor is also not relevant.

Feature  EKS  ECS  Weight  Applicable
Complexity  High  Low  100%  Yes

In a nutshell, if you run a single workload on an AWS account, ECS is much simpler.

Single AWS account deployment

The preferred way to separate development stages like development, testing and production is to use different AWS accounts.

If that is not feasible due to restrictions, you should at least use different VPCs. You can restrict access to the different VPCs with a proper IAM setup. So, the solution is not less secure than the multi-account setup. It is just more complex.

Connection to an internal network

If you need to connect to an internal network, you must use a VPN or a Direct Connect (DX). Direct Connect is only required if you have lots of data and need a dedicated line.

To connect to a VPN, you could use DX to single VPCs. The more powerful solution is an AWS transit gateway, which allows VPN access to multiple VPCs at once.

Simplified Architecture so far

architecture

Security requirements

Again, the problem is more having too many options. To define a technical and organisational security architecture, we have to widen the scope from the single application to the whole company.

Most larger companies have a security response team that deals with several technologies. Again, one question to ask is, “Do they know AWS?”

I invite you to do a little experiment for the other main question. If you have an AWS account just for evaluation, enable Security Hub and Guard Duty. You will be surprised how many alerts you get.

Options

Just enabling the “AWS Foundational Security Best Practices” will perform all these tests stated here.

As an example of how noisy it really can get, look at this retired control: CloudFormation.1 CloudFormation stacks should be integrated with Simple Notification Service (SNS)

If you enable the SNS integration, you get an SNS topic for EACH resource in the stack. So, if you have a stack with 100 resources, you get 100 SNS topics.

To know whether a control is reasonable, you must know the context and have enough AWS knowledge to decide on actions. With this knowledge, you can adjust the controls to fit your needs.

Solutions

Organisational solutions

ID  Requirement
3  24x7 operational monitoring
4  Detailed overview of security status
5  Alerting the SOC team

security-organisation

With a larger customer with many workloads not only on AWS, an organisation like this is needed and implemented with tecRacer AWS Managed Services.

  1. The noise is filtered
  2. False positives are reduced with a filter
  3. Real issues can be fixed
  4. Dashboards are created to see the health of the whole architecture. Sometimes, with the dawning of new security threads, you do not have a security control yet, but you notice an anomaly in the dashboard.
  5. If customer involvement is needed, the SOC team can react.

Technical solution: enhancing AWS security with Trend micro

AWS services like config, cloudtrail. guardduty are optimized to detect alerts on AWS networks and services. In addition to the network security, you can use Trend Micro to secure the containers. Yes, there is a service like inspector.

Our MSSP team has found, during the years working with security and AWS, that the combination of AWS and Trend Micro is very powerful. In addition to the AWS network scanning, the application itself must be scanned. So, if you have a container with a vulnerability, it will be detected.

Trend Micro

Trend Cloud One - Container Security provides container security on many levels. To understand that sentence, we do a simplified thread analysis.

You can look at the application itself and then expand the scope level by level:

Levels
Level  Security  AWS  Trend Micro Cloud One
1  Application Amazon Inspector  Trend Micro Artifact Scanner
2  Container-Host-Operation System  Amazon Inspector  Runtime security/Runtime vulnerability scanning
3  Inter Container Network  AWS App Mesh  Trend Micro Network Security
4  Container Host  AWS Systems Manager/Inspector Cloud One™ – Conformity
5  AWS Network/VPC  GuardDuty Use VPC Traffic Mirroring to send traffic to Trend Micro Cloud One™ – Conformity
6  Internet  Ensure encrypted data transfer Ensure encrypted data transfer
7  Human   Teach your staff Teach your staff

It would take hours to go into each detail. The general takeaway is that while you have separate services on AWS for each level, Trend Micro Cloud One provides a single pane of glass for all levels.

Summary

Choosing your security solution on AWS depends on many factors.

Diversity of workloads: If you have many different workloads and also different cloud providers, lean towards Cloud One. With AWS only and a single workload, lean towards AWS services.

Security team: If you have an established dedicated security team with deep knowledge and experience in AWS and security, lean towards your own team. If you need experts with experience in AWS and security, lean towards choosing tecRacer MSSP.

The scale of your enterprise: If you have a large enterprise with many workloads, have your response team work together with an external partner. A good security solution requires knowledge in many areas. Being an expert in all areas is not possible.

If you have a single workload, consult with experienced consultants to decide whether it’s feasible to protect it or delegate it to tecRacer MSSP.

Does this look like a sales pitch - yes. But my main statement is that you should not fall into a Dunning-Kruger trap here. Security on AWS is a complex topic, and you should not underestimate it.

If you want to know the state of security on the Internet, try this little experiment: Set up an unprotected Web Server with a public IP on an EC2 instance and look at the logs. When will the first attack happen?

What’s next?

If you need MSP or MSSP Hosting for your AWS workloads, don’t hesitate to contact us at tecRacer.

Thanks for reading. Enjoy building!

Similar Posts You Might Enjoy

From EC2 to C6 - Clear Compliance Chaos with clear Customer Collaboration with MSSP

To battle security compliance is a challenge, which is besten solved as a team sport. We show you some solutions to win this tug of war, like knowing not only the technical, but also the psychological aspects of the game. This is the way our MSSP works together with you. - by Gernot Glawe

Creating an Alarm to Detect Usage of a Pending Deletion KMS Keys and AWS Secrets

In cloud computing, security is a critical concern. While AWS provides backup solutions for many resources, custom configurations often require additional protection. Two key services, AWS Key Management Service (KMS) and AWS Secrets Manager, don’t offer direct backup options. However, they implement a deletion grace period— by default 30 days and this is the maximum — allowing for potential restoration. - by Alexey Vidanov

From fragile to formidable: How to detect, fix and prevent container vulnerabilities with Inspector and Docker Scout

A webserver running on a container. Sound simple. Let`s dive deeper into how your architecture choices affect application security. I use docker scout for the container and show how Amazon Inspector can serve as a general-purpose security tool. - by Gernot Glawe