© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Omar Paul, Product Manager, Amazon ECRJuly 9, 2020

Security Best Practices with Amazon ECR

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Agenda

• What is Amazon ECR?• Container security and where ECR fits

• Access control• Image assurance• Artifact trust

• Resource Links

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Assumptions

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

ECR, Container Security

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Amazon ECR

• Fully managed container registry for Docker and OCI images• Natively integrated with other AWS services• ECR handles the undifferentiated heavy lifting• https encryption in transit, encrypted images at rest

• And encryption at rest with KMS CMKs has started rolling out!

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

What is Container Security ?

Securing the application lifecycle from Dev to Prod

Build

AWS CodeBuild

Deploy

AmazonECR

Run

Compliance

User Access Control

Runtime Protection

Micro-Segmentation AWSApp Mesh

Secrets Management AWSKMS

Logging & Auditing AWSSecurity Hub

AmazonEC2

AmazonECS

AmazonEKS

AWSFargate

AWSLambda

VMware CloudOn AWS

Image Assurance

User Access Control

Artifact Trust

Scanning

CIS Benchmarks

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

What role does ECR play?

Deploy

AmazonECR

Image Assurance

User Access Control

Artifact Trust

Scan images for vulnerabilitiesWho can push and who can

pull which resources?

How does image signing help?

AWSIAM

v2

Coming to AWS in 2021

No additional charge, just use it

Least privilege Periodic reviews Alerts

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

ECR User Access Control

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Best practices for ECR User Access Control

• Use IAM policies to control who can push imagesUse at most the AmazonEC2ContainerRegistryReadOnly managed policy for compute that pulls images to run. Think about who can add and remove container images. ‘docker pull’ from a client only needs GetAuthorizationToken, BatchGetImage, GetDownloadUrlForLayer.

• Think differently about repositories in different application stagesGive the AmazonEC2ContainerRegistryPowerUser managed policy just to admins and CI/CD process IAM roles, for your staging and production repositories. Not to everyone.

• Did you know ECR has IAM resource policies as well?If you have lots of repositories, or you add and remove often, consider a resource policy to control actions. This easier than updating IAM policies for users and roles specifying multiple repository ARNs.

https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.htmlhttps://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.html

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

An example from ECR’s own use of ECR

• ECR uses one AWS account for each stage: beta, gamma and prod• A micro-service has its own repo and deployment pipeline in each stage• IAM user/role and resource policies control push and pull actions

• Controls tighten from beta à prod• Each Region has a different set of accounts• We enable tag immutability by default.• ECR generally thinks about 1 git repo = 1 image repo

How do you think about controls at each stage?Periodically review your use of IAM for ECR

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

ECR Image Assurance

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Image Assurance (aka ensuring safe images)

Trigger PipelineVersion Control Test/BuildBuild/test locally Push to ECR

Pull to ECS, EKS

Static Vulnerability

Scanning

Dynamic, Runtime

Protection

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

ECR Image Scanning

• Static vulnerability scanning• Identifies software vulnerabilities in container images

• CoreOS Clair project• Scores vulnerabilities from upstream or CVSS

• Scan on push, or ad-hoc• Gain actionable insights

• ECR Image Scan Eventbridge events (formerly CloudWatch Events)• No additional charge

https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-eventbridge.html

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

{

"name": "CVE-2019-19814",

"description": "In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image can cause __remove_dirty_segment slab-out-of-bounds write access because an array is bounded by the number of dirty types (8) but the array index can exceed this.",

"uri": "https://security-tracker.debian.org/tracker/CVE-2019-19814",

"severity": "CRITICAL",

"attributes": [

{

"key": "package_version",

"value": "4.19.98-1"

},

{

"key": "package_name",

"value": "linux"

},

}

console:~/ $ aws ecr describe-image-scan-findings --repository-name

wordpress --image-id imageTag=latest | jq.imageScanFindings.findingSeverityCounts

{

"HIGH": 5,

"MEDIUM": 50,

"INFORMATIONAL": 216,

"LOW": 44,

"CRITICAL": 2,

"UNDEFINED": 4

}

Example Outputs

CVE package details example

Severity count example

ECR console scan findings example

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Best practices for ECR Image Scanning

• Enable scan on push for each repositoryTurn on scan on push (it’s free) for every repository. We’re testing CloudFormation support as we speak. We’re building account-level defaultsso you don’t have to do it for each repository.

• Process the Eventbridge eventParse it at minimum for CRITICAL and HIGH severities. Notify developers during dev push. Alert during staging push and do not promote. Fail deploying a production push.

• Scheduled scans for (at least) production imagesRead this blog, use the sample code and trigger a recurring scan for at least your production images. We’re being asked to do this natively in ECR.

https://github.com/aws/containers-roadmap/issues/552https://github.com/aws/containers-roadmap/issues/799https://github.com/aws/containers-roadmap/issues/565https://github.com/adamjkeller/ecr-image-scanning-scripthttps://aws.amazon.com/blogs/containers/amazon-ecr-native-container-image-scanning/https://github.com/aws/containers-roadmap/issues/564

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Artifact Trust

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Modern container artifact trust needs (aka image signing)

• Registry-nativeSignatures and artifacts co-located for easier and more secure management

• UsableSimple commands to integrate with application toolchains with signing key hierarchies

• PortableArtifacts can move across registries without affecting provenance, validation and trust

• SecureNo trust on first use, no implicit permissions on rotated keys, secure private keys and PKI

• Multi-tenantEnable cloud providers and enterprises to easily support managed services at scale

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Notary v2

A community driven, collaborative effort to enable cross registry movement of container artifacts and its signatures for verifiable

content

v2

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

GenesisNov 20, 2019

Kubecon San Diego

KickoffDec 12, 2019

Seattle, WA

Weekly CadenceEvery Mon, 1030am PT

CNCF bridge, Slack

Notary v2 timelines

Kubecon Notary Presentation

Kickoff notes

Community BriefingsKubecon EU 2020Aug 17-20, 2020

Rough code implementation

Sep 30, 2020

Community Demo, Use

Kubecon NANov 17-20, 2020

End-to-end GA to customers *

2021

Update session

Working session

* https://github.com/aws/containers-roadmap/issues/43

https://www.youtube.com/watch%3Fv=rB8-rUtrtXMhttps://hackmd.io/_vrqBGAOSUC_VWvFzWruZwhttps://sched.co/Zewyhttps://sched.co/Zexwhttps://github.com/aws/containers-roadmap/issues/43

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Resources

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Links

Overview https://aws.amazon.com/ecr/Docs https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR public roadmap https://github.com/aws/containers-roadmap/projects/1?card_filter_query=label%3Aecr

ECR with IAM https://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam.htmlECR managed policies https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.html

ECR emitted events https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-eventbridge.htmlImage scanning blog https://aws.amazon.com/blogs/containers/amazon-ecr-native-container-image-scanning/Sample CI/CD + scanning integration https://github.com/adamjkeller/ecr-image-scanning-scriptECR image scanning tech talk https://www.youtube.com/watch?v=y6NI_K96DRs

Notary v2 project https://github.com/notaryprojectNotary v2 Slack https://cloud-native.slack.com/app_redirect?channel=notary-v2Content Trust Roadmap item https://github.com/aws/containers-roadmap/issues/43

https://aws.amazon.com/ecr/https://docs.aws.amazon.com/AmazonECR/latest/userguide/https://github.com/aws/containers-roadmap/projects/1%3Fcard_filter_query=label:ecrhttps://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam.htmlhttps://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.htmlhttps://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-eventbridge.htmlhttps://aws.amazon.com/blogs/containers/amazon-ecr-native-container-image-scanning/https://github.com/adamjkeller/ecr-image-scanning-scripthttps://www.youtube.com/watch%3Fv=y6NI_K96DRshttps://github.com/notaryprojecthttps://cloud-native.slack.com/app_redirect%3Fchannel=notary-v2https://github.com/aws/containers-roadmap/issues/43

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Thank You!Omar Paulomarpaul@amazon.com@omieomye