Best Practices for Container Security on AWS
Containers have changed how we deploy software. Learn how to better protect your containerized applications from external threats.
Amazon Elastic Computing Cloud (EC2) has enabled thousands of organizations to deploy and manage secure, web-scale computing capacity in the cloud. Amazon EC2 streamlines the processes of establishing server instances, developing and running containerized applications, and scaling those instances to meet processing demands. Amazon provides and uses multiple tools and services to manage these processes efficiently:
In addition to these, Amazon ECS supports API calls that launch Docker-enabled applications as well as access other AWS features such as IAM roles, security groups, Amazon CloudWatch Events, and AWS CloudTrail logs.
Amazon offers detailed guidance on how to create Amazon EC2 instances. An experienced sysadmin or developer likely has these steps memorized and can complete the process in minutes. However, for someone new to the Amazon EC2 environment, the process can be challenging, given all the steps, command lines, and variety of tools involved.
Having worked directly with various organizations, I want to provide some useful guidance to complement the directions provided by Amazon, to help you plan ahead and consider some of the decisions you’ll need to make. In providing this information, I’m assuming that you’ve already established an AWS account, created a virtual private cloud and security groups, and installed AWS Command Line Interface (CLI). Your developers have written the application, and you’re now logged into your Amazon EC2 account.
You’ll need to create a key pair or use a pair already created. Open the Amazon E2C console and select an Amazon Machine Image (AMI), choose your instance type, configure the instance details—network (your default VPC), subnet, storage, and security group—select the key pair, then launch the instance.
Open the EFS console, choose your default VPC, name your file system, and add descriptive tags. If your application requires it, enable data encryption and lifecycle management (to take advantage of lower-cost infrequent access storage).
This is a straightforward sequence of tasks and commands. Note that after you launch an EC2 instance, it may take a few minutes to complete before you can connect. Connect to the EC2 instance and install the amazon-efs-utils package following the directions provided by Amazon. If you have existing data in on-premises storage you can use AWS DataSync to transfer files to EFS.
This is a simple, straightforward process. With the EC2 instance launched, use the command lines specified in Installing Docker to complete and verify the installation.
Amazon ECS uses Docker images to launch containers on the instances you’ve created. The Docker utility automatically builds the images by reading instructions from a Dockerfile, a text file containing the commands to assemble an image. The Docker daemon runs the instructions in the Dockerfile one-by-one before finally outputting the ID of the new image. You’ll need to work with your developers to generate a set of instructions and create the Dockerfile that contains the commands that comply with the Dockerfile format.
ECR is a Docker container registry for storage, management, and deployment of Docker container images. Integration with ECS provides reliable deployment of containers. Use the AWS CLI to create a registry then use Docker CLI to push your image to the elastic container registry.
Before you can run Docker containers on Amazon ECS, you will need to create a task definition using AWS CLI. However, I’ll cover that topic in detail in a future blog post, addressing scheduling, load balancing and a host of other considerations that impact application performance.
In this brief overview, I’ve outlined the process of creating Amazon EC2 instances—yet each of these steps can benefit from a more detailed discussion to enhance the efficiency of the overall process. When creating EC2 instances, your overarching goal should be to configure the parameters and allocate sufficient resources to maximize the value of your AWS investment. With many critical decisions to make, the guidance of an experienced partner can help ensure your decisions are sound.
Whether it’s application development, launching an EC2 instance, scripting Docker files, orchestrating resources to handle scale, availability, and quick updates, or running the application in a production environment, success in each of these areas requires experience and expertise. If you’re just embarking on a new EC2 initiative, we’d welcome the opportunity to discuss the specifics of your business needs with one of our specialists.
Deliver better service to customers, and keep pace in a competitive landscape.