Best Practices for Container Security on AWS
Containers have changed how we deploy software. Learn how to better protect your containerized applications from external threats.
Containerization—a virtualization method used to deploy and run distributed applications without the need to launch an entire virtual machine for each application—is changing the way businesses develop and deploy applications in cloud environments. Containers decompose applications into small, manageable packages containing everything the application needs to run: code, core data, configuration files, interfaces, and dependencies.
The container approach allows developers to focus on applications and not be concerned with deployment and infrastructure management. From a development perspective, there are numerous benefits to the container approach.
The advantages of containers extend beyond the development cycle. Containers utilize compute resources more efficiently by eliminating the need for a hypervisor. They simply share OS kernel without impacting the performance of applications running inside the container. With a smaller footprint, more containers can run on a single host, resulting in better utilization of compute resources and lower costs. Additionally, containers can be configured with only the desired binaries and components, eliminating potential vulnerabilities that might be found in a full fledged OS. Containers that can run on Amazon EC2 Spot Instances can obtain up to a 90% discount compared to On-Demand prices.
The Docker software platform is one of the most popular means of building, testing, and deploying applications. Amazon offers two options to deploy Docker containers on AWS deployments: Elastic Beanstalk and Elastic Container Service. The primary difference between the two is the degree of control that each provides regarding application scaling, capacity, and scheduling.
Elastic Beanstalk is an AWS service for deploying and scaling web applications and services. It eliminates the need to manually launch AWS resources required to run applications. Using your IDE, AWS Management Console, or Git repository, you upload the Docker container image.
Elastic Beanstalk then takes care of container deployment, provisioning the required infrastructure and managing the underlying platform, including providing the latest patches and updates to support the application.
The Elastic Beanstalk console allows you to manage the application, stopping or starting it as a single unit. Using auto-scaling settings you’ve established, it scales the application up or down as needed. It automatically handles load balancing by distributing containers across clusters.
Elastic Container Service (ECS) is an orchestration service that supports Docker containers. Using API calls, you can quickly launch and manage tens to thousands of Docker containers. ECS manages and scales a cluster of virtual machines, schedules containers on those VMs, and maintains VM availability.
ECS relies on AWS Fargate to deploy and manage containers and eliminates the need to provision servers. ECS supports a wide range of containerized applications—from long-running to microservices—and enables migration of legacy Linux or Windows applications to run on the Cloud as containerized applications.
ECS provides granular security control by launching containers in your own Amazon VPC, allowing the use of VPC security groups and network ACLs. Using IAM, you can determine which services and resources a container is allowed to access.
ECS allows you to take advantage of AWS services such as Elastic Load Balancing, Elastic Container Registry, AWS Batch, CloudWatch, CloudFormation, and CloudTrail via native integration with those services.
For businesses new to AWS or new to the containerization concept, just getting started with Docker, or developing new applications, Elastic Beanstalk may be the best approach to support Docker containers. Elastic Beanstalk offers a simple interface, allows Docker images to be pulled from public or private registries, and coordinates the deployment of multiple Docker containers to Amazon ECS clusters. Elastic Beanstalk gives you less control over application scaling and capacity but makes deploying Docker containers on AWS ever so straightforward.
In comparison to Elastic Beanstalk, Elastic Container Service provides greater control over application architectures and orchestration of Docker containers. You specify the size and number of cluster nodes and determine if auto-scaling should be used.
Elastic Container Service uses tasks to launch Docker containers. A task includes the container definition, providing the ability to group containers in sets that launch together then terminate simultaneously. ECS provides significantly greater flexibility and customization in scheduling and CPU and memory utilization. In addition, ECS does not require special integration efforts to work with many other AWS services.
Elastic Container Service is appropriate when you need to run microservices that require integration with other AWS services, or use custom or managed schedulers to run batch workloads on EC2 On-Demand, Reserved, or Spot Instances. Businesses wanting to containerize legacy code and migrate it to AWS without needing to rewrite code should take the ECS option. Applications or workflows comprised of loosely coupled, distributed services running on various platforms or accessing widely-distributed data source can also benefit by using Elastic Container Service.
The containerization approach brings greater efficiency to application development and deployment, as well as optimized compute usage. However, containerization isn’t right for all applications, such as those with specific hardware requirements, like CPU-intensive processes.
For businesses new to AWS, Elastic Beanstalk may be the best option for today and well into the future. For others, the flexibility and capabilities of Elastic Container Service may present a steep learning curve, but be well worth the initial effort.
Without the guidance of an AWS Premier Consulting Partner, determining the best approach for deploying Docker containers on AWS can be challenging. Consult with AWS professionals who have advised dozens of other customers regarding Docker deployment.
Deliver better service to customers, and keep pace in a competitive landscape.