6 big Kubernetes container security launches at AWS re:Invent 2021

Amazon Web Services (AWS) and its cybersecurity partners brought a major emphasis on Kubernetes container security in their product launches this week at the re:Invent 2021 conference.

The announcements included extending AWS security tools to cover containers, a new AWS marketplace for containerized apps that offers security benefits, and a preview of upcoming container workload protections for the Amazon Elastic Kubernetes Service (EKS).

“As the adoption of containers skyrockets, so does the need for easy-to-manage and scale container security,” AWS chief information security officer Stephen Schmidt said during re:Invent.

AWS has “heard that message,” he said, and the cloud provider is “now developing feature sets that address container environments.”

Container surge

A survey by the Cloud Native Computing Foundation found that the use of containers in production has surged by 300% since 2016, with 92% of organizations using containers in production in 2020. That’s made containers a tempting target for cyber attackers: A recent study by Aqua Security found that 50% of new misconfigured Docker instances are attacked by botnets within 56 minutes of being set up.

At re:Invent, Schmidt said that given the rise use and threats around containers, there’s clearly a “need for some new security tooling relevant to this particular space,” Schmidt said.

It’s a very welcome thing for AWS to focus on enhancing security capabilities for container technologies that are used with AWS—namely, the now-dominant Kubernetes container orchestration platform, said George Burns, senior consultant for cloud operations at SPR, an AWS Advanced Consulting partner.

While securing traditional applications follows “very established processes, securing containers does not,” Burns told VentureBeat. “So a lot of the innovation that we will see over the next several cycles will be regarding container security.”

What follows are six Kubernetes container security launches from Amazon Web Services and partners at re:Invent 2021.

Threat detection for container workloads

AWS said it plans to launch new threat detection capabilities for container workloads during the first quarter of 2022.

Schmidt said the company does not typically pre-announce features that are still under development. But given the growing importance of container security, the cloud giant is making an exception in revealing its new container threat detection features, he said.

The first new container threat detection features, launching in Q1 of 2022, will involve extending the Amazon GuardDuty threat detection service to Amazon Elastic Kubernetes Service (EKS) audit logs, he said.

“This will provide customers intelligent threat detection for their container workloads — scanning for unusual resource deployments [and] things like malicious configuration changes, or escalation of privilege attempts,” Schmidt said.

The company expects that coverage from its Amazon Inspector for the Amazon Elastic Container Registry (ECR) will follow, he said. AWS also plans an expansion of the Amazon Detective service that will bring “its investigation analysis into the container space in the near future,” he said.

Vulnerability management for container workloads

At re:Invent, AWS disclosed an expansion of its vulnerability management service, Amazon Inspector, to include container workloads. Amazon Inspector can now assess ECR-based container workloads, in addition to Elastic Compute Cloud (EC2) workloads, AWS said.

Additionally, assessment scans with Amazon Inspector are now continual and automated — taking the place of manual scans that occur only periodically, according to the company.

Using the updated Amazon Inspector will enable auto-discovery and begin a continual assessment of a customer’s ECR-based container workloads and EC2 workloads — ultimately evaluating the customer’s security posture “even as the underlying resources change,” AWS wrote in a blog post.

Securing containers from public registries

To help development teams that are using containers from publicly accessible registries to secure the containers, AWS announced pull-through cache repository support in Amazon Elastic Container Registry.

The support will “offer developers the improved performance, security, and availability of Amazon Elastic Container Registry for container images that they source from public registries,” AWS said in a blog.

“Images in pull-through cache repositories are automatically kept in sync with the upstream public registries, thereby eliminating the manual work of pulling images and periodically updating,” the blog said. “Pull through cache repositories provide the benefits of the built-in security capabilities in Amazon Elastic Container Registry, such as AWS PrivateLink enabling you to keep all of the network traffic private, image scanning to detect vulnerabilities, encryption with AWS Key Management Service (KMS) keys, cross-region replication, and lifecycle policies.”

AWS Marketplace for Containers Anywhere

AWS launched a new marketplace at re:Invent 2021, the AWS Marketplace for Containers Anywhere, which enables customers to find third-party containerized apps that are vetted and scanned for security issues. These apps can then be deployed in Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Kubernetes Service (Amazon EKS).

“Many customers that run Kubernetes applications on AWS want to deploy them on-premises due to constraints, such as latency and data governance requirements. Also, once they have deployed the Kubernetes application, they need additional tools to govern the application through license tracking, billing, and upgrades,” AWS said in a blog post.

AWS Marketplace for Containers Anywhere enables customers to deploy third-party Kubernetes apps “on any Kubernetes cluster in any environment,” the company said. “This capability makes the AWS Marketplace more useful for customers who run containerized workloads.”

Customers can deploy third-party Kubernetes apps to on-premises environments via Amazon EKS Anywhere—or in any customer self-managed Kubernetes cluster located on-prem—or in Amazon EC2, AWS said.

This ultimately enables customers to “use a single catalog to find container images regardless of where they eventually plan to deploy,” the company said.

Security is among the top benefits for customers with the AWS Marketplace for Containers Anywhere, said Gaurav Rishi, vice president of product at Kasten by Veeam, a Kubernetes data protection vendor taking part in the new marketplace. All applications listed on the marketplace are scanned for Common Vulnerabilities and Exposures (CVEs), ensuring “enhanced security” for customers, Rishi said in an email to VentureBeat.

Secure solutions in Containers Anywhere marketplace

Many of the initial vendor partners launching apps in AWS Marketplace for Containers Anywhere touted the additional built-in security capabilities of their apps:

• HAProxy Technologies: Enterprise Ingress Controller, a software load balancer for delivering apps and websites with high performance as well as strong security and observability.
• Isovalent: open-source and enterprise products, including Cilium and eBPF, which address security, networking, and observability issues for cloud-native infrastructure.
• JFrog: “liquid software” that aims to “power the world’s software updates through the seamless, secure flow of binaries from developers to the edge.”
• Kasten by Veeam: the Kasten K10 data management platform, which is “purpose-built” for Kubernetes as an “easy-to-use, scalable, and secure system for backup and recovery, disaster recovery, and application mobility.”
• Nirmata: open-source and enterprise products for “policy-based security and automation of production Kubernetes workloads and clusters.”
• Palo Alto Networks: CN-Series Container Next-Gen Firewall, which is “purpose built to secure the Kubernetes environment from network based attacks.”
• Prosimo: Jumpstart, which brings together cloud networking, security, performance, observability, and cost management to “reduce enterprise cloud deployment complexity and risk.”

Integrations for Kubernetes security

During re:Invent 2021, a number of vendor partners also announced new integrations that can help with securing Kubernetes usage. They included:

• Snyk: announced that AWS integrated its vulnerability intelligence service, Snyk Security Intelligence, into the updated Amazon Inspector tool. Customer benefits include enhanced security for Kubernetes, Snyk said. Users can “ensure a uniform and superior source of vulnerability data across AWS’ security (Amazon Inspector) as well as developer tools (AWS CodeSuite, Amazon ECR, Amazon Elastic Kubernetes Service and AWS Lambda),” the company said in a news release.
• Axonius: announced it has integrated with the updated Amazon Inspector. Capabilities include the ability to “identify any AWS assets that have not been assessed with Amazon Inspector,” including container images that reside in Amazon ECR, the company said in a news release.
• Vulcan Cyber: also announced integrating with the enhanced Amazon Inspector, with capabilities such as creating risk scores for each vulnerability that is discovered. “Vulnerabilities found in container images are sent to Amazon ECR for resource owners to view and remediate,” the company said in a news release.
• Tigera: announced an integration of its cloud-native security and observability platform, Calico Cloud, with the AWS Control Tower multi-account security and governance tool. The integration makes it simpler to acquire “additional cluster security, granular workload access controls, live observability, and real-time troubleshooting capabilities for Amazon Elastic Kubernetes Service (EKS) clusters,” the company said in a news release.
• Anjuna Security: announced that its Confidential Cloud software, which leverages hardware protections to provide physical data isolation, can now be used in tandem with the AWS Nitro Enclaves isolated execution service to securely run Kubernetes workloads on AWS. This offers an “easy way for enterprise IT organizations to operate Kubernetes workloads on AWS Nitro Enclaves,” the company said in a news release.