Aqua Blog

Protecting AWS Fargate Containers at Runtime

Protecting AWS Fargate Containers at Runtime

Containers as a Service (CaaS) like AWS Fargate have proven to be a valuable mechanism for DevOps teams to build and deploy complex applications at scale. By removing the need for infrastructure management and security, customers can also reduce development costs using AWS Fargate.

However, based on the shared responsibility model, customers are still responsible for the security of their applications and have to ensure that the code and workloads that run on their containers are secure. This blog post will explore the benefits of AWS Fargate, the security challenges it presents, and how the Aqua Cloud Security Platform can protect AWS Fargate containers through their lifecycle.

What Is AWS Fargate?

AWS Fargate is a way to deploy containers on Elastic Kubernetes Service (EKS) and Elastic Container Service (ECS), the two managed container services in the AWS cloud. Fargate automates most of the work required to set up and manage the host infrastructure, letting you run containers without provisioning or managing servers. It’s a fully managed service, meaning all the configuration is done for you. It is a cost-effective way to run containers making it easy for organizations to use them in the cloud at scale and maintain high availability across their applications. AWS calls Fargate a “serverless compute engine”; it eliminates the need to manage servers when deploying containers in the AWS cloud.

What Does AWS Fargate Do?

Fargate solves the challenge of managing infrastructure to host containers for many teams. Modern container tooling solves most of the pain points associated with deploying and managing containerized applications. The one thing that standard container platforms don’t do is set up the host infrastructure for you or scale that infrastructure up and down as your load fluctuates. Fargate allows you to deploy containers without worrying about the underlying infrastructure. You simply load your container images into either EKS or ECS, and Fargate runs them.

AWS Fargate is an effective way to minimize the effort required to run containers in the Amazon cloud. But the significant trade-off is control over your host infrastructure and your security.

Embedding Security in the DevOps Process

Gartner predicts that by 2022 more than 75% of global organizations will be running containerized applications in production. AWS Fargate simplifies the deployment and compute/storage management of the containers. This provides a significant advantage: you can run containers without managing servers or clusters of Amazon EC2 instances and focus on designing and building your applications.

This typically means essential infrastructure maintenance activities like scaling and installing patches are taken care of. However, the networking and security of containers are solely for customers to manage. Developers are still ultimately responsible for the secure execution of their code including application logic, code, and data. CaaS platforms like AWS Fargate are simply there to manage the container environment. AWS does provide some networking and security functionalities, but in today’s complex runtime world, security challenges remain for the serverless app developer.

Integrate and Automate Fargate Container Security and Block Attacks

A containerized environment must be secured across the entire lifecycle – from dev to cloud and back.  A solid security strategy helps prevent malicious activities and starts with implementing policies and safeguards to integrate and automate policies and processes while clocking unauthorized activities. Container security is complex in that compared to traditional security it needs to be secured across the development lifecycle, from securing the build pipeline and container images to container runtimes and application layers. Additionally, container security should be fully automated and embedded into all stages of the Software Development Life Cycle (SDLC) as part of the continuous delivery lifecycle used to build and release containerized applications.

Such protection capabilities, with deep integration into AWS infrastructure and services, are delivered as part of our comprehensive Cloud Native Application Protection Platform (CNAPP) that covers, Software Supply Chain Security, Vulnerability Management, Cloud Security Posture Management (CSPM), Kubernetes Security Posture Management (KSPM) and Cloud Workload Protection Platform (CWPP).

Aqua helps protect your Fargate containers using some key features like:

Automate DevSecOps

  • Improve Supply Chain Security by shifting-left early into the DevOps pipeline and integrating with your Source Code Management (SCM) or Continuous Integration/Continuous Delivery (CI/CD) tools or Image Registries to scan and detect issues such as
    • Vulnerabilities
    • Malware
    • Misconfigurations
    • Sensitive Data
    • Malicious Behavior – using  Dynamic Threat Analysis

Automate Policies and Process

  • Implement custom assurance policies/security gates that prevent non-compliant images from being built.
  • Use a Dynamic Thread Analysis sandbox to perform runtime behavioral analysis of built images before being pushed to registry or production.
  • Implement custom runtime policies that
    • Prevent  non-compliant and unregistered (rogue) images from getting deployed. Allow network nano-segmentation for compliance and to minimize blast radius. Use Drift Prevention to ensure container immutability and block any unauthorized activities and zero-day attacks without stopping all container processes.
    • Ensure real-time visibility and protection for audit and enforcement vs. API-based approaches.

Automate Regulatory Compliance

  • Provide file integrity monitoring with a complete audit trail of any changes made.
  • Out-of-the-box policies for PCI-DSS, HIPAA, EU GDPR, and the NIST framework. Built-in industry standard benchmarking reports like CIS. Provide advanced forensics for containers to help with incident response.
  • Maintain history of scan results, policy changes, remediation actions, secrets rotation, runtime events, and user logins.

Security Purpose-built for Fargate

Securing CaaS environments at runtime presents a lot of challenges for traditional cloud workload protection approaches that rely on access to the host operating systems to run or API access for monitoring processes.

To address these unique delivery and security requirements, Aqua delivers technology that is purpose built for Fargate that supports both ECS and EKS on Fargate as well as supporting Fargate on Graviton2 processors.

Aqua can provide Runtime security for Fargate containers through:

  • Embedded Container Images: Aqua MicroEnforcer can be embedded into the container images that you want to protect when they are deployed as containers. Each image includes a JSON file that describes the Image Profile associated with the image. When a container based on the image is deployed, the MicroEnforcer applies security protection according to the controls specified in the Image Profile.
  • Sidecar Architecture: Aqua MicroEnforcer can also be deployed as a sidecar container which is attached to the application container to be protected. The sidecar receives information from the Aqua Server related to the applicable runtime security policies to be enforced for the application container in question.
  • Auto-Injection using Mutating Admission Controller (For EKS on Fargate only): The Aqua PodEnforcer auto-injection is integrated with the Aqua Kube Enforcer’s mutating admission controller component, allowing it to modify the pod manifest based on predefined assurance policies.

Aqua can protect your running containers in a CaaS environment with protection that will secure the container wherever it is deployed, protecting the container throughout its entire lifecycle, from development to runtime. To learn more about Aqua’s runtime protection and Fargate container security, watch a recent webinar I co-hosted with Steven Follis, AWS, Containers Specialist: Securing Container Workloads on AWS Fargate: A How To Session.

Farhan Mohsin
Farhan Mohsin is a Sr. Solutions Architect at Aqua. As part of the SA team, he works on different aspects of cloud native application security and integration with customers, channel partners, GSI's, and technology alliance partners like AWS. Before Aqua, he worked as a Solution Architect for ExxonMobil IT. He is a technology enthusiast who loves to play soccer and work on classic cars in his spare time.