Docker for AWS and Docker for Azure are much more than a simple way to setup Docker in the cloud. In fact they provision by default an infrastructure with security in mind to give you a secure platform to build, ship and run Docker apps in the cloud. Available for free in Community Edition and as a subscription with support and integrated management in Enterprise Edition, Docker for AWS and Docker for Azure allow you to leverage pre-configured security features for your apps today – without having to be a cloud infrastructure expert.
You don’t have to take our word for it – in February 2017, we engaged NCC Group, an independent security firm, to conduct a security assessment of Docker for AWS and Docker for Azure. Included in this assessment is Docker for AWS and Docker for Azure Community Edition and Enterprise Edition Basic. This assessment took place from February 6-17. NCC Group was tasked with assessing whether these Docker Editions not only provisioned secure infrastructure with sensible defaults, but also leveraged and integrated the best security features of each cloud. We’d like to openly share their findings with you today.
NCC Group evaluated our security model and defaults, including:
- Cloud-specific access control with IAM roles in AWS and Service Principals in Azure to run enterprise workloads in a least-privileged manner
- Network configuration settings, including newly provisioned load balancers that are dynamically updated as applications are created and updated
- Underlying host network configuration review to provide minimal network exposure
NCC Group does bring up some limitations of Docker for AWS and Azure, for example that access is managed with a single SSH key, which makes it impractical for bigger teams of developers and ops to share access. Docker has additional products:
- Fleet Management from Docker Cloud to let you share access to a Docker Community Edition (CE) swarm using Docker ID, including integration with Docker for Mac and Windows
- Docker Enterprise Edition Standard and Advanced tiers (formerly known as Docker Datacenter) for AWS and Azure provide a full Container-as-a-Service environment with integrated user management and granular RBAC
Additionally, NCC Group has previously covered the Docker Engine’s security features in their whitepaper on hardening Linux Containers. This included evaluating runtime protections such as syscall filtering with seccomp and dropping Linux capabilities by default.
We’ve also worked with NCC Group to validate the cryptography and system security for Notary, our signing and verification framework that ensures Docker images are untampered and always up to date. Read the full report.
Docker is continuing to improve Docker for AWS and Azure (and GCP) to give users an easy-to-use way to configure secure container setups in the cloud. Click here to get started with Docker for AWS and Docker for Azure today.