Best Practices for Container Security
Securing Amazon ECS and EKS
Many businesses are reliant upon containers for their product. AWS customers can choose Amazon ECS or Amazon EKS as their fully managed container service, in conjunction with AWS Fargate, EC2 instances, AWS Outposts, AWS Local Zones, and AWS Wavelength.
To use AWS containers securely, we recommend the following best practices:
- No secrets like keys should be kept in a container. Use Secrets Manager for this.
- Use IAM roles instead of hardcoding credentials.
- Don’t run containers as root.
- Run one service per container to minimize the attack surface.
- Use trusted images; don’t use those from public repositories. Use image scanning even if images are thought to be safe.
- Elastic Container Registry is a registry to store your images, where scanning can be performed.
- Protect your infrastructure by not sending VPC traffic over the Internet.
To learn more, visit the AWS documentation on task and container security.
A lot of businesses rely on containers for their product. So here are some best practices to use those containers securely.
First, you should never hard code credentials. Use IAM users for that. Also, you should have IAM roles assigned to containers, instead of letting them run as root. Additionally, no secrets should be stored in your containers. AWS provides Secrets Manager for that. Another best practice would be to only use trusted images from trusted sources. And when you store those in the repository, you should use the scanning provided by AWS to ensure that those are secure and safe images to use. Lastly, there should only be one service per container to ensure that your attack surface is minimized. And only send encrypted traffic from your VPC.