iCompaas Support

Profile Applicability:

• Level 2
  

Description:

Authorization for Docker client commands must be enabled to restrict access to Docker functionality. This ensures that only authorized users can execute Docker commands, which is particularly important in a multi-user or multi-tenant environment.

Rationale:

Enabling authorization for Docker commands prevents unauthorized users from executing commands that could potentially harm the system or compromise security. It provides a means of controlling who can interact with the Docker daemon and manage containers.

Impact:

Pros:

• Provides an additional layer of security by ensuring only authorized users can manage Docker.
  

• Reduces the risk of unauthorized access or actions on the Docker host.
  

Cons:

• May require additional configuration to set up the authorization system, such as configuring Docker’s API or certificate-based authentication.
  

Default Value:

By default, Docker does not enable authorization for client commands unless explicitly configured.

Pre-requisites:

• Docker installed and running.
  

• Administrative privileges to configure Docker security.
  
  

Remediation:

Test Plan:

Using AWS Console:

1. Log in to the EC2 instance running Docker.
   

2. Verify if Docker authorization is configured by checking the daemon settings in the /etc/docker/daemon.json file:
   

cat /etc/docker/daemon.json

Using AWS CLI:

1. Connect to the EC2 instance where Docker is running.
   

2. Run the following command to verify the authorization settings:
   

   cat /etc/docker/daemon.json

   
   

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   

2. Enable Docker client authorization by configuring TLS or certificate-based authentication. Modify the /etc/docker/daemon.json file:
   

   {
     "hosts": ["tcp://0.0.0.0:2376"],
     "tlsverify": true,
     "tlscert": "/etc/docker/cert.pem",
     "tlskey": "/etc/docker/key.pem",
     "tlscacert": "/etc/docker/ca.pem"
   }

3. Restart Docker to apply the changes:
   

sudo systemctl restart docker

Using AWS CLI:

1. Use SSM to modify the Docker configuration and restart Docker:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'{\"hosts\": [\"tcp://0.0.0.0:2376\"], \"tlsverify\": true, \"tlscert\": \"/etc/docker/cert.pem\", \"tlskey\": \"/etc/docker/key.pem\", \"tlscacert\": \"/etc/docker/ca.pem\"}\' > /etc/docker/daemon.json && sudo systemctl restart docker"]'

   
   

Backout Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   

2. Revert the authorization configuration in /etc/docker/daemon.json to disable TLS or revert to the default settings:
   

   {
     "hosts": ["unix:///var/run/docker.sock"]
   }

3. Restart Docker:
   

   sudo systemctl restart docker

Using AWS CLI:

1. Use SSM to revert the authorization settings and restart Docker:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'{\"hosts\": [\"unix:///var/run/docker.sock\"]}\' > /etc/docker/daemon.json && sudo systemctl restart docker"]'

   
   

References:

• Docker Authentication Documentation