iCompaas Support

Profile Applicability:

• Level 1
  

Description:

Docker commands should always use the latest version of the image to ensure that vulnerabilities are minimized, and performance improvements are applied. Using outdated images may expose the containerized application to known vulnerabilities and bugs that have been fixed in newer versions.

Rationale:

Running outdated images can allow known vulnerabilities to persist in the application, which can lead to security risks. Ensuring the use of the latest image version guarantees that the latest security patches, bug fixes, and performance improvements are incorporated.

Impact:

• Pros:
  

  • Keeps the application environment up to date and secure.

  • Reduces the chances of running into known vulnerabilities.
    

• Cons:
  

  • May lead to compatibility issues with previous versions, requiring thorough testing.

Default Value:

By default, Docker may use cached versions of images unless specifically instructed to pull the latest image.

Pre-requisites:

• Access to Docker configuration and the ability to update Docker commands.

Remediation:

Test Plan:

Using AWS Console:

• Log in to the EC2 instance running Docker.

• Run the command docker images to check the versions of the images.

• Confirm that the latest versions are being used for all containers.

Using AWS CLI:

1. Run the following command to list the images and their tags:

   docker images

Implementation Plan:

Using AWS Console:

1. Connect to the EC2 instance.

2. Always use the docker pull command to ensure the latest image is pulled before running the container.

docker pull <image-name>:latest

3. Restart the container with the latest image:

docker run -d --name <container-name> <image-name>:latest

Using AWS CLI:

1. Use SSM to pull the latest image and restart the container:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker pull <image-name>:latest && docker run -d --name <container-name> <image-name>:latest"]

Backout Plan:

Using AWS Console:

1. Connect to the EC2 instance.

2. Revert the container to a previous version by running:

docker run -d --name <container-name> <image-name>:<previous-tag>

Using AWS CLI:

1. Use SSM to revert the container to a previous version:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run -d --name <container-name> <image-name>:<previous-tag>"]'

References:

• Docker Official Documentation

• CIS Docker Benchmark