Read our news, insight, and perspectives with regular contributions from AcessQuint strategists, technologists, and product and industry specialists.

Various security controls provided by AWS across the cloud-native stack and container lifecycle.

Securing AWS container services

Jul 10, 2021 | BY Veera Sandiparthi

Amazon Web Services (AWS) offers several security controls across the cloud-native stack, including identity and access management, centralized logging, and threat monitoring. Organizations can leverage these services to provide scalable solutions for enterprise IT organizations.

Host security

AWS has a robust set of security measures in place to ensure customers are sufficiently protected. A datacenter and network architecture are designed suitable for the most security-sensitive organizations. Amazon EC2 features an array of protections as a managed service, including multi-factor authentication, secure encryption, and access control limiting who can view or modify information.

  • Amazon Linux 2 is the next generation of Amazon Linux that provides several security controls alongside its performance. One such example is package installation; it reduces non-critical packages and limits exposure, limiting potential vulnerabilities. Another related to updates are Security updates rated “critical” or “important” are automatically applied on the initial boot.
  • Bottlerocket is a Linux-based operating system, open-sourced by AWS and designed to run container software on virtual hosts or bare metal. The main strength of Bottlerocket is security updates that can be automatically applied without disrupting the rest of the system.

These solutions can help you manage your data center operations securely while also protecting and monitoring cloud-native workloads.

Authentication and Authorization

AWS Identity and Access Management (IAM) ensures that access to your AWS resources is protected and under your control. Create and manage users, groups, permissions, and roles to enforce information security on the various components of the cloud-native stack.

Before you deploy an Amazon EKS cluster or start deploying containers with Amazon ECS in production, make sure you are familiar with relevant AWS services that can help secure your applications and infrastructure.

Image scanning

Readily available packages that are open-source may contain old library versions. It is important to know where the software originally came from and whether there are vulnerabilities.

Amazon Elastic Container Registry (ECR) is a fully-managed Docker container registry that makes it easy for developers and those with limited development knowledge to store, manage, and deploy Docker images. Amazon ECR integrates seamlessly into the AWS Cloud Services Platform with features like ECS and EKS, providing a simplified workflow–going from test phases straight through to production.

AWS provides security controls to all the artifacts stored in a given registry, repository, or image. These can be customized based on specific scanning policies.

CI/CD pipeline security

CI/CD pipelines automate steps in your software delivery process, such as build and test, to help your teams deliver updates to customers. This automation is essential when deployed applications that need regular upgrading for security fixes or adding new features. Embedding security into your CI/CD pipeline helps identify vulnerabilities faster through testing at every stage of the software delivery life cycle.

AWS provides DevOps teams with CodeCommit, CodeBuild, and CodeDeploy to help automate the software delivery process. On top of these tools, AWS provides an additional tool called CodePipeline that allows them to visualize and automate each stage in the process.

AWS CodeBuild is a fully managed, continuous integration service that compiles source code, runs tests, and produces software packages ready to deploy. The build service handles multiple builds concurrently, so the processing doesn’t wait in a queue.

AWS CodePipeline is a continuous delivery service that automates the build, test and deploys phases of the release process for all code changes.

Image assurance

Image assurance is one of the ways that AWS can help you reduce errors and issues by validating containers before they run in production.

A Kubernetes admission controller is a security mechanism to prevent unauthorized images from being deployed in your container cluster. This tool is supported by the EKS service that runs on top of Kubernetes.

Network security

Containerization and the shift to the cloud are driving changes in security models. Many teams that have switched to a Zero Trust approach require authentication with advanced access privileges for networks outside their organization.

Amazon Web Services provides the ability to control networks, isolate them from one another, and prevent attacks due to open network policies. Without these controls, developers will have trouble seeing how containerized applications contact each other on a Zero Trust network.

Amazon EC2 Container Services enhances Kubernetes running in Amazon Elastic Compute Cloud (Amazon EKS) clusters by assigning specific Security Groups to pods. The dedicated security information on the AWS website will be of interest for a complete overview of this topic.

For some applications, you have to configure security rules at each network interface. For others, you can re-use operations knowledge and tools by using AWS Security groups for Kubernetes pods with the native APIs.

Service Mesh Visibility

The use of microservices and container-based approaches is now ubiquitous across the cloud-native stack, and, inevitably, a service mesh solution such as Istio, Linkerd, or AWS App Mesh is becoming common. These offer capabilities for management at scale with features such as file discovery, authentication for containers that contain information about where to connect remotely to the service, and a dashboard to view metrics related to the application’s health.

AWS App Mesh is a managed service mesh platform for AWS customers that makes it easy to monitor and control microservices running on the cloud-native stack. AWS App Mesh is compatible with Envoy, an open-source proxy used by several AWS Partner Network (APN) and open-source tools.

AWS’s container services provide a baseline coverage for security and monitoring across the entire container platform. As you scale out, AccessQuint provides centralized visibility and security that complement AWS’s existing offerings.

AccessQuint has the experience, reliability, and technical proficiency in securing AWS customers. The Accessquint AWS Cloud Security Services provide the scale and performance enterprises need to make security a seamless part of their containerization efforts on AWS container services.

Previous Post
Cloud-Based SIEM: Is Cloud the Right Solution?
Next Post
What are the signs of cyberattacks?
Written By
Veera Sandiparthi

Mr. Veera Sandiparthi is a seasonal entrepreneur who brings 18 years of experience with technology solutions and delivering secure integrated enterprise solutions across various industries, including financial, healthcare, technology, and federal. Mr. Veera serves as the President and CEO of AccessQuint LLC. Over the past 2 years became an expert in developing strategic Cybersecurity solutions for both global and domestic clients. By strategically leveraging AccessQuint LLC's expert security resources and best practices, along with his own extensive knowledge of industry challenges and organizational needs, he helps his clients maintain the highest levels of quality while increasing efficiency and streamlining the cost.