Profile Applicability:

  • Level 1 

Description:

It is possible to make the Docker daemon available remotely over a TCP port. If this is required, you should ensure that TLS authentication is configured to restrict access to the Docker daemon via IP address and port.

Rationale:

By default, Docker binds to a non-networked Unix socket and runs with root privileges. If the Docker daemon is exposed over a network port, it can allow anyone with access to that port or socket to control the Docker daemon, which may compromise the system. Configuring TLS authentication ensures secure communication with the Docker daemon and limits access to only authorized clients.

Impact:

Pros:

  • Ensures secure communication by encrypting traffic to and from the Docker daemon.

  • Restricts access to the Docker daemon to only those clients with valid TLS certificates.

Cons:

  • You will need to manage and protect the certificates and keys used for TLS authentication.

Default Value:

By default, TLS authentication is not configured, and Docker does not expose its API over a TCP port.

Pre-requisites:

  • Administrative access to the Docker host system.

  • Knowledge of managing certificates and configuring TLS for Docker.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker.

  2. Verify that Docker is configured to use TLS by inspecting the Docker daemon startup options:

    ps -ef | grep dockerd


    3. Ensure that the --tlsverify, --tlscacert, --tlscert, and --tlskey options are present.

Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.

  2. Run the following command to verify the presence of the necessary TLS parameters in the Docker configuration:

    ps -ef | grep dockerd


Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Edit the Docker daemon configuration file /etc/docker/daemon.json to include the necessary TLS parameters:

    {
     "tlsverify": true,
      "tlscacert": "/etc/docker/certs/ca.pem",
      "tlscert": "/etc/docker/certs/server-cert.pem",
      "tlskey": "/etc/docker/certs/server-key.pem"
    }
  3. Restart Docker to apply the changes:

    sudo systemctl restart docker


Using AWS CLI:

  1. Use SSM to update the Docker daemon configuration and restart Docker:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'{\"tlsverify\": true, \"tlscacert\": \"/etc/docker/certs/ca.pem\", \"tlscert\": \"/etc/docker/certs/server-cert.pem\", \"tlskey\": \"/etc/docker/certs/server-key.pem\"}\' > /etc/docker/daemon.json && sudo systemctl restart docker"]'


Backout Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Remove the TLS configuration by editing the /etc/docker/daemon.json file and deleting the TLS parameters:

    {
      "tlsverify": false
    }
  1. Restart Docker to apply the changes:

    sudo systemctl restart docker


Using AWS CLI:

  1. Use SSM to remove the TLS configuration and restart Docker:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'{\"tlsverify\": false}\' > /etc/docker/daemon.json && sudo systemctl restart docker"]'


References: