Profile Applicability:
Level 1
Description:
Docker considers registries either secure or insecure. A secure registry uses TLS (Transport Layer Security) to ensure the authenticity and privacy of communication. An insecure registry lacks proper security, exposing communication to potential interception or modification. This check ensures that insecure registries are not used in the Docker environment.
Rationale:
A secure registry uses TLS, ensuring encrypted communication between Docker and the registry, preventing man-in-the-middle attacks. Insecure registries, on the other hand, can compromise the integrity and confidentiality of Docker image retrieval and storage.
Impact:
Pros:
Improves the security posture by ensuring that Docker images are fetched from secure sources.
Prevents the risk of compromising containers with malicious or tampered images.
Cons:
None directly, although ensuring secure registries requires proper certificate management.
Default Value:
By default, Docker assumes all registries, except for local ones, are secure.
Pre-requisites:
Administrative privileges to modify Docker configuration.
Proper certificates for the secure registries.
Remediation:
Test Plan:
Using AWS Console:
Log in to the EC2 instance running Docker.
Execute the following command to identify any insecure registries in use:
docker info --format 'Insecure Registries: {{.RegistryConfig.InsecureRegistryCIDRs}}'
Using AWS CLI:
Connect to the EC2 instance and run the following command to check for insecure registries:
docker info --format 'Insecure Registries: {{.RegistryConfig.InsecureRegistryCIDRs}}'
Implementation Plan:
Using AWS Console:
Log in to the EC2 instance.
Ensure that Docker is not using insecure registries by modifying the Docker configuration. Edit the /etc/docker/daemon.json file to ensure secure registries are used:
{ "insecure-registries": [] }
Restart Docker to apply changes:
sudo systemctl restart docker
Using AWS CLI:
Use SSM to modify the Docker configuration and restart Docker:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \"{\\\"insecure-registries\\\": []}\" > /etc/docker/daemon.json && sudo systemctl restart docker"]'
Backout Plan:
Using AWS Console:
Log in to the EC2 instance.
- Revert the Docker configuration to allow insecure registries (if needed) by modifying the /etc/docker/daemon.json file:
{ "insecure-registries": ["<registry-name>"] }
Restart Docker to apply the changes:
sudo systemctl restart docker
Using AWS CLI:
Use SSM to revert Docker configuration:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \"{\\\"insecure-registries\\\": [\\\"<registry-name>\\\"]}\" > /etc/docker/daemon.json && sudo systemctl restart docker"]'
References: