Containers are great, aren't they? They're lightweight, can run apps and services in isolation, and are massively scalable in the cloud. But despite these advantages, securing them is less than straightforward.
There's a lot of moving parts to keep track of—containers, images, registries, objects—and learning to configure all of them for security is no easy task.
In this blog, we're taking a closer look at container registries, what they are, and how to protect them with four essential security controls.
A container registry is a repository to store and access container images. Developers can upload and store (push) images in the registry, or download (pull) them.
Registries can be directly connected with orchestration platforms like Docker or Kubernetes to run and manage your containers.
It helps to think of a registry as a source code repository (like Github). This will give you the right perspective when it comes to building out effective security controls.
It's important to note that your security approach will be very different if you go for a managed container registry (like Amazon ECR or Project Harbor) vs. hosting your own registry. In this blog, we'll only be showing you how to secure managed container registries.
Scanning your container images is an essential step for securing container registries. Security scan tools will look for issues like vulnerabilities in the code of your images, bugs or malware present in open source images from public registries, outdated packages or libraries, etc.
In fact, scanning images in a CI/CD pipeline can block vulnerabilities from ever reaching the registry itself. Container scan tools can be automated in order to speed up the process of testing, reporting, and remediating container security vulnerabilities.
Open source container registries like Harbor usually support a host of scanners like Trivy or Anchore, but Amazon ECR or Azure Container Registry (ACR) require you to use their own scan tools — Inspector and Defender, respectively.
Image tags are simple text labels that convey useful information about the version of the container image. It can offer information like the base OS version, or whether it's the most recent update of the image. Put simply, tags are a good way to differentiate between images.
But an attacker with access to your registry might try to upload a trojanised image to the repository with the same tag as an existing image. They would be able to overwrite that image, and now you have a malicious container image in your registry with no way of knowing about it.
Tag immutability is a feature that lets you prevent image tags from being overwritten. When you configure it, the registry won't let users push an image with a tag that's already there in the repository.
Learn to secure container registries hands-on! Check out this course.
This is another critical security control you need when working with container registries. If you misconfigure IAM privileges on the container registry, you risk a malicious actor compromising a user's credentials and pushing trojanised images to the registry.
Most cloud providers offer a default set of IAM policies, but these are usually not secure enough as they won't account for the wide range of threat scenarios you could face. You need to manage access for identities like users, roles, groups, etc., as well as make use of features like context-based restrictions.
This is a somewhat underrated area of focus in security, particularly in the containers space. Detection engineering is the concept of identifying threats before they can do significant damage to your systems. This includes processes like threat intelligence, risk management, monitoring, among other disciplines.
In the context of container security, you should be looking at monitoring control plane logs for registry events. For example, Amazon EKS provides audit and diagnostic logs directly from the control plane to CloudWatch Logs.
As an added measure, consider pushing control plane logs to object storage or databases to further analyse anomalies in the logs.
AppSecEngineer offers 5 courses in container security with 30+ hands-on labs and 30 hours of learning. Train to attack and defend containers, learn cutting-edge security techniques, and more:
Start learning on AppSecEngineer with a free trial (no CC required), or pick your plan here.
Aneesh Bhargav is the Head of Content Strategy at AppSecEngineer. He has experience in creating long-form written content, copywriting, producing Youtube videos and promotional content. Aneesh has experience working in Application Security industry both as a writer and a marketer, and has hosted booths at globally recognized conferences like Black Hat. He has also assisted the lead trainer at a sold-out DevSecOps training at Black Hat. An avid reader and learner, Aneesh spends much of his time learning not just about the security industry, but the global economy, which directly informs his content strategy at AppSecEngineer. When he's not creating AppSec-related content, he's probably playing video games.