API calls to run containers Bring your own Amazon EC2 instances (and/or AWS Fargate–managed servers) EC2 instance Amazon ECS container agent Container runtime API calls to run containers Container Run Amazon ECR, Docker Hub, … API calls to download container images Logs Amazon CloudWatch Logs, Fluentd, … API calls to send container logs Elastic Load Balancing
by a “task definition” A group of 1 or more containers The smallest deployable unit Configure networking, storage, parameters, IAM roles, and compute resources Similar to the docker run command on your local machine Amazon ECS service Defined by a “service definition” Enables you to run and maintain a required number of Amazon ECS tasks Automatically handles Amazon ECS task failures by replacing them with new Amazon ECS tasks Configure Amazon VPC networking, deployment type, optional load balancers, and service discovery
tasks or services in a region Multiple clusters can be created Clusters / services / tasks work as IAM permission boundaries ECS cluster ECS services ECS tasks
type and port HTTPS: 443 HTTP: 80 MySQL/Aurora: 3306 Allowed source 0.0.0.0/0 (Public access) 10.0.0.0/16 (From within the VPC) 10.0.0.0/16 (From within the VPC)
type and port HTTPS: 443 HTTP: 80 MySQL/Aurora: 3306 Allowed source 0.0.0.0/0 (Public access) sg-ALB (Only from the ALB) sg-ECSTask (Only from the ECS tasks)
push • Use immutable tags to use expected container images at any given time 2. Image scanning • “Scan on push” for automatic scanning • Scheduled rescanning is also recommended to handle CVEs after image creation; see also https://aws.amazon.com/blogs/containers/am azon-ecr-native-container-image-scanning/ Step 5: Enabling ECR features
image scanning • No privileged mode • Non–root user • Read-only file system • Security groups • Secrets • Task role and task execution role • Container logs https://docs.docker.com/develop/develop-images/dockerfile_best-practices/
{ "Version": "2012-10-17", "Statement": [{ "Sid": "ECSFullAccessIfOwner", "Effect": "Allow", "Action": "ecs:*", "Resource": "*", "Condition": { "StringEquals": { "ecs:ResourceTag/Owner": "${aws:PrincipalTag/Team}" } } }] } only if resource ”Owner” tag and user “Team” tag values match IAM Policy
API call events in your AWS account • Recorded events will have § eventTime § userIdentity § eventSource (represents an AWS service) § eventName (represents an API action name) § and more! Step 7: Audit AWS API calls Learn more: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/ cloudtrail-event-reference-record-contents.html
• IAM resources can be automatically remediated • Amazon ECS is not officially supported by AWS Config yet • Write custom rules to validate Amazon ECS resources such as task definitions Step 8: Validate your resources For more examples, go to https://github.com/awslabs/aws-config-rules
• CI/CD pipelines help automate building, testing, and deployment Automate everything Source Build Test Deploy Monitor Related session CON210 – Developing CI/CD pipelines with Amazon ECS and AWS Fargate
your container data plane on AWS CON216 – AWS Fargate: Are serverless containers right for you? AWS manages and patches hosts for you No privileged or SSH access Secure isolation boundaries
throughout their life cycles • Keep operations robust One step further • Automate everything as much as possible • Use AWS Fargate to harden your workloads with less effort Get started today • All Amazon ECS features covered today are available without installing any additional software Takeaways