6 massive Kubernetes container safety launches at AWS re:Invent 2021

Amazon Internet Providers (AWS) and its cybersecurity companions introduced a serious emphasis on Kubernetes container safety of their product launches this week on the re:Invent 2021 convention.

The bulletins included extending AWS safety instruments to cowl containers, a brand new AWS market for containerized apps that gives safety advantages, and a preview of upcoming container workload protections for the Amazon Elastic Kubernetes Service (EKS).

“Because the adoption of containers skyrockets, so does the necessity for easy-to-manage and scale container safety,” AWS chief info safety officer Stephen Schmidt mentioned throughout re:Invent.

AWS has “heard that message,” he mentioned, and the cloud supplier is “now growing function units that deal with container environments.”

Container surge

A survey by the Cloud Native Computing Basis discovered that using containers in manufacturing has surged by 300% since 2016, with 92% of organizations utilizing containers in manufacturing in 2020. That’s made containers a tempting goal for cyber attackers: A current research by Aqua Safety discovered that 50% of latest misconfigured Docker cases are attacked by botnets inside 56 minutes of being arrange.

At re:Invent, Schmidt mentioned that, given the rise in use and threats round containers, there’s clearly a “want for some new safety tooling related to this explicit area.”

It’s a really welcome factor for AWS to deal with enhancing safety capabilities for container applied sciences which are used with AWS — particularly, the now-dominant Kubernetes container orchestration platform, mentioned George Burns, senior guide for cloud operations at SPR, an AWS Superior Consulting companion.

Whereas securing conventional functions follows “very established processes, securing containers doesn’t,” Burns instructed VentureBeat. “So quite a lot of the innovation that we’ll see over the following a number of cycles will likely be concerning container safety.”

What follows are six Kubernetes container safety launches from Amazon Internet Providers and companions at re:Invent 2021.

Risk detection for container workloads

AWS mentioned it plans to launch new menace detection capabilities for container workloads in the course of the first quarter of 2022. Schmidt mentioned the corporate doesn’t usually pre-announce options which are nonetheless below improvement. However given the rising significance of container safety, the cloud large is making an exception in revealing its new container menace detection options, he mentioned.

The primary new container menace detection options, launching in Q1 of 2022, will contain extending the Amazon GuardDuty menace detection service to Amazon Elastic Kubernetes Service (EKS) audit logs, he mentioned.

“This may present prospects clever menace detection for his or her container workloads — scanning for uncommon useful resource deployments [and] issues like malicious configuration modifications, or escalation of privilege makes an attempt,” Schmidt mentioned.

The corporate expects that protection from its Amazon Inspector for the Amazon Elastic Container Registry (ECR) will observe, he mentioned. AWS additionally plans an growth of the Amazon Detective service that can carry “its investigation evaluation into the container area within the close to future,” he mentioned.

Vulnerability administration for container workloads

At re:Invent, AWS disclosed an growth of its vulnerability administration service, Amazon Inspector, to incorporate container workloads. Amazon Inspector can now assess ECR-based container workloads, along with Elastic Compute Cloud (EC2) workloads, AWS mentioned.

Moreover, evaluation scans with Amazon Inspector at the moment are continuous and automatic, taking the place of guide scans that happen solely periodically, in line with the corporate.

Utilizing the up to date Amazon Inspector will allow auto-discovery and start a continuing evaluation of a buyer’s ECR-based container workloads and EC2 workloads — in the end evaluating the shopper’s safety posture “even because the underlying sources change,” AWS wrote in a weblog submit.

Securing containers from public registries

To assist improvement groups to safe containers they’ve obtained from publicly accessible registries, AWS introduced pull-through cache repository help in Amazon Elastic Container Registry.

The help will “supply builders the improved efficiency, safety, and availability of Amazon Elastic Container Registry for container photos that they supply from public registries,” AWS mentioned in a weblog.

“Photographs in pull-through cache repositories are routinely stored in sync with the upstream public registries, thereby eliminating the guide work of pulling photos and periodically updating,” the weblog mentioned. “Pull by way of cache repositories present the advantages of the built-in safety capabilities in Amazon Elastic Container Registry, resembling AWS PrivateLink enabling you to maintain the entire community site visitors non-public, picture scanning to detect vulnerabilities, encryption with AWS Key Administration Service (KMS) keys, cross-region replication, and lifecycle insurance policies.”

AWS Market for Containers Wherever

AWS launched a brand new market at re:Invent 2021, the AWS Market for Containers Wherever, which permits prospects to search out third-party containerized apps which are vetted and scanned for safety points. These apps can then be deployed in Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Kubernetes Service (Amazon EKS).

“Many shoppers that run Kubernetes functions on AWS wish to deploy them on-premises attributable to constraints, resembling latency and information governance necessities. Additionally, as soon as they’ve deployed the Kubernetes utility, they want further instruments to manipulate the applying by way of license monitoring, billing, and upgrades,” AWS wrote in a weblog submit.

AWS Market for Containers Wherever permits prospects to deploy third-party Kubernetes apps “on any Kubernetes cluster in any surroundings,” the corporate mentioned. “This functionality makes the AWS Market extra helpful for purchasers who run containerized workloads.”

Clients can deploy third-party Kubernetes apps to on-premises environments by way of Amazon EKS Wherever, or in any buyer self-managed Kubernetes cluster positioned on-prem, or in Amazon EC2, AWS mentioned. This in the end permits prospects to “use a single catalog to search out container photos no matter the place they ultimately plan to deploy,” the corporate mentioned.

Safety is among the many high advantages for purchasers with the AWS Market for Containers Wherever, mentioned Gaurav Rishi, vice chairman of product at Kasten by Veeam, a Kubernetes information safety vendor collaborating within the new market. All functions listed on {the marketplace} are scanned for Frequent Vulnerabilities and Exposures (CVEs), making certain “enhanced safety” for purchasers, Rishi mentioned in an e-mail to VentureBeat.

Safe options in Containers Wherever market

Lots of the preliminary vendor companions launching apps in AWS Market for Containers Wherever touted the extra built-in safety capabilities of their apps:

• HAProxy Applied sciences: Enterprise Ingress Controller, a software program load balancer for delivering apps and web sites with excessive efficiency in addition to robust safety and observability.
• Isovalent: open supply and enterprise merchandise, together with Cilium and eBPF, which deal with safety, networking, and observability points for cloud-native infrastructure.
• JFrog: “liquid software program” that goals to “energy the world’s software program updates by way of the seamless, safe stream of binaries from builders to the sting.”
• Kasten by Veeam: the Kasten K10 information administration platform, which is “purpose-built” for Kubernetes as an “easy-to-use, scalable, and safe system for backup and restoration, catastrophe restoration, and utility mobility.”
• Nirmata: open supply and enterprise merchandise for “policy-based safety and automation of manufacturing Kubernetes workloads and clusters.”
• Palo Alto Networks: CN-Collection Container Subsequent-Gen Firewall, which is “goal constructed to safe the Kubernetes surroundings from community based mostly assaults.”
• Prosimo: Jumpstart, which brings collectively cloud networking, safety, efficiency, observability, and value administration to “scale back enterprise cloud deployment complexity and danger.”

Integrations for Kubernetes safety

Throughout re:Invent 2021, a lot of vendor companions additionally introduced new integrations that may assist with securing Kubernetes utilization. They included:

• Snyk: introduced that AWS built-in its vulnerability intelligence service, Snyk Safety Intelligence, into the up to date Amazon Inspector software. Buyer advantages embrace enhanced safety for Kubernetes, Snyk mentioned. Customers can “guarantee a uniform and superior supply of vulnerability information throughout AWS’ safety (Amazon Inspector) in addition to developer instruments (AWS CodeSuite, Amazon ECR, Amazon Elastic Kubernetes Service and AWS Lambda),” the corporate mentioned in a information launch.
• Axonius: introduced it has built-in with the up to date Amazon Inspector. Capabilities embrace the flexibility to “establish any AWS belongings that haven’t been assessed with Amazon Inspector,” together with container photos that reside in Amazon ECR, the corporate mentioned in a information launch.
• Vulcan Cyber: additionally introduced integrating with the improved Amazon Inspector, with capabilities resembling creating danger scores for every vulnerability that’s found. “Vulnerabilities present in container photos are despatched to Amazon ECR for useful resource homeowners to view and remediate,” the corporate mentioned in a information launch.
• Tigera: introduced an integration of its cloud-native safety and observability platform, Calico Cloud, with the AWS Management Tower multi-account safety and governance software. The combination makes it less complicated to accumulate “further cluster safety, granular workload entry controls, reside observability, and real-time troubleshooting capabilities for Amazon Elastic Kubernetes Service (EKS) clusters,” the corporate mentioned in a information launch.
• Anjuna Safety: introduced that its Confidential Cloud software program, which leverages {hardware} protections to offer bodily information isolation, can now be utilized in tandem with the AWS Nitro Enclaves remoted execution service to securely run Kubernetes workloads on AWS. This provides an “simple means for enterprise IT organizations to function Kubernetes workloads on AWS Nitro Enclaves,” the corporate mentioned in a information launch.