Post on 19-Feb-2021
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Omar Paul, Product Manager, Amazon ECRJuly 9, 2020
Security Best Practices with Amazon ECR
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
• What is Amazon ECR?• Container security and where ECR fits
• Access control• Image assurance• Artifact trust
• Resource Links
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Assumptions
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ECR, Container Security
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon ECR
• Fully managed container registry for Docker and OCI images• Natively integrated with other AWS services• ECR handles the undifferentiated heavy lifting• https encryption in transit, encrypted images at rest
• And encryption at rest with KMS CMKs has started rolling out!
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is Container Security ?
Securing the application lifecycle from Dev to Prod
Build
AWS CodeBuild
Deploy
AmazonECR
Run
Compliance
User Access Control
Runtime Protection
Micro-Segmentation AWSApp Mesh
Secrets Management AWSKMS
Logging & Auditing AWSSecurity Hub
AmazonEC2
AmazonECS
AmazonEKS
AWSFargate
AWSLambda
VMware CloudOn AWS
Image Assurance
User Access Control
Artifact Trust
Scanning
CIS Benchmarks
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What role does ECR play?
Deploy
AmazonECR
Image Assurance
User Access Control
Artifact Trust
Scan images for vulnerabilitiesWho can push and who can
pull which resources?
How does image signing help?
AWSIAM
v2
Coming to AWS in 2021
No additional charge, just use it
Least privilege Periodic reviews Alerts
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ECR User Access Control
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Best practices for ECR User Access Control
• Use IAM policies to control who can push imagesUse at most the AmazonEC2ContainerRegistryReadOnly managed policy for compute that pulls images to run. Think about who can add and remove container images. ‘docker pull’ from a client only needs GetAuthorizationToken, BatchGetImage, GetDownloadUrlForLayer.
• Think differently about repositories in different application stagesGive the AmazonEC2ContainerRegistryPowerUser managed policy just to admins and CI/CD process IAM roles, for your staging and production repositories. Not to everyone.
• Did you know ECR has IAM resource policies as well?If you have lots of repositories, or you add and remove often, consider a resource policy to control actions. This easier than updating IAM policies for users and roles specifying multiple repository ARNs.
https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.htmlhttps://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.html
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
An example from ECR’s own use of ECR
• ECR uses one AWS account for each stage: beta, gamma and prod• A micro-service has its own repo and deployment pipeline in each stage• IAM user/role and resource policies control push and pull actions
• Controls tighten from beta à prod• Each Region has a different set of accounts• We enable tag immutability by default.• ECR generally thinks about 1 git repo = 1 image repo
How do you think about controls at each stage?Periodically review your use of IAM for ECR
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ECR Image Assurance
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Image Assurance (aka ensuring safe images)
Trigger PipelineVersion Control Test/BuildBuild/test locally Push to ECR
Pull to ECS, EKS
Static Vulnerability
Scanning
Dynamic, Runtime
Protection
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ECR Image Scanning
• Static vulnerability scanning• Identifies software vulnerabilities in container images
• CoreOS Clair project• Scores vulnerabilities from upstream or CVSS
• Scan on push, or ad-hoc• Gain actionable insights
• ECR Image Scan Eventbridge events (formerly CloudWatch Events)• No additional charge
https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-eventbridge.html
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
{
"name": "CVE-2019-19814",
"description": "In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image can cause __remove_dirty_segment slab-out-of-bounds write access because an array is bounded by the number of dirty types (8) but the array index can exceed this.",
"uri": "https://security-tracker.debian.org/tracker/CVE-2019-19814",
"severity": "CRITICAL",
"attributes": [
{
"key": "package_version",
"value": "4.19.98-1"
},
{
"key": "package_name",
"value": "linux"
},
}
console:~/ $ aws ecr describe-image-scan-findings --repository-name
wordpress --image-id imageTag=latest | jq.imageScanFindings.findingSeverityCounts
{
"HIGH": 5,
"MEDIUM": 50,
"INFORMATIONAL": 216,
"LOW": 44,
"CRITICAL": 2,
"UNDEFINED": 4
}
Example Outputs
CVE package details example
Severity count example
ECR console scan findings example
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Best practices for ECR Image Scanning
• Enable scan on push for each repositoryTurn on scan on push (it’s free) for every repository. We’re testing CloudFormation support as we speak. We’re building account-level defaultsso you don’t have to do it for each repository.
• Process the Eventbridge eventParse it at minimum for CRITICAL and HIGH severities. Notify developers during dev push. Alert during staging push and do not promote. Fail deploying a production push.
• Scheduled scans for (at least) production imagesRead this blog, use the sample code and trigger a recurring scan for at least your production images. We’re being asked to do this natively in ECR.
https://github.com/aws/containers-roadmap/issues/552https://github.com/aws/containers-roadmap/issues/799https://github.com/aws/containers-roadmap/issues/565https://github.com/adamjkeller/ecr-image-scanning-scripthttps://aws.amazon.com/blogs/containers/amazon-ecr-native-container-image-scanning/https://github.com/aws/containers-roadmap/issues/564
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Artifact Trust
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Modern container artifact trust needs (aka image signing)
• Registry-nativeSignatures and artifacts co-located for easier and more secure management
• UsableSimple commands to integrate with application toolchains with signing key hierarchies
• PortableArtifacts can move across registries without affecting provenance, validation and trust
• SecureNo trust on first use, no implicit permissions on rotated keys, secure private keys and PKI
• Multi-tenantEnable cloud providers and enterprises to easily support managed services at scale
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Notary v2
A community driven, collaborative effort to enable cross registry movement of container artifacts and its signatures for verifiable
content
v2
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
GenesisNov 20, 2019
Kubecon San Diego
KickoffDec 12, 2019
Seattle, WA
Weekly CadenceEvery Mon, 1030am PT
CNCF bridge, Slack
Notary v2 timelines
Kubecon Notary Presentation
Kickoff notes
Community BriefingsKubecon EU 2020Aug 17-20, 2020
Rough code implementation
Sep 30, 2020
Community Demo, Use
Kubecon NANov 17-20, 2020
End-to-end GA to customers *
2021
Update session
Working session
* https://github.com/aws/containers-roadmap/issues/43
https://www.youtube.com/watch%3Fv=rB8-rUtrtXMhttps://hackmd.io/_vrqBGAOSUC_VWvFzWruZwhttps://sched.co/Zewyhttps://sched.co/Zexwhttps://github.com/aws/containers-roadmap/issues/43
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Resources
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Links
Overview https://aws.amazon.com/ecr/Docs https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR public roadmap https://github.com/aws/containers-roadmap/projects/1?card_filter_query=label%3Aecr
ECR with IAM https://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam.htmlECR managed policies https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.html
ECR emitted events https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-eventbridge.htmlImage scanning blog https://aws.amazon.com/blogs/containers/amazon-ecr-native-container-image-scanning/Sample CI/CD + scanning integration https://github.com/adamjkeller/ecr-image-scanning-scriptECR image scanning tech talk https://www.youtube.com/watch?v=y6NI_K96DRs
Notary v2 project https://github.com/notaryprojectNotary v2 Slack https://cloud-native.slack.com/app_redirect?channel=notary-v2Content Trust Roadmap item https://github.com/aws/containers-roadmap/issues/43
https://aws.amazon.com/ecr/https://docs.aws.amazon.com/AmazonECR/latest/userguide/https://github.com/aws/containers-roadmap/projects/1%3Fcard_filter_query=label:ecrhttps://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam.htmlhttps://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.htmlhttps://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-eventbridge.htmlhttps://aws.amazon.com/blogs/containers/amazon-ecr-native-container-image-scanning/https://github.com/adamjkeller/ecr-image-scanning-scripthttps://www.youtube.com/watch%3Fv=y6NI_K96DRshttps://github.com/notaryprojecthttps://cloud-native.slack.com/app_redirect%3Fchannel=notary-v2https://github.com/aws/containers-roadmap/issues/43
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank You!Omar Paulomarpaul@amazon.com@omieomye