iCompaas Support

Profile Applicability:

• Level 2
  

Description:

The default bridge network docker0 creates a shared network between all containers, which may lead to security risks, such as container traffic being accessed by other containers or the host system. It is recommended to avoid using docker0 and use user-defined bridge networks instead for improved network isolation.

Rationale:

Using the default docker0 bridge network may expose containers to unnecessary network access. By using user-defined networks, you can isolate containers better and restrict communication between containers to only those that need to communicate.

Impact:

Pros:

• Better security by isolating container traffic.
  

• Limits the exposure of container traffic to the host system and other containers.
  

Cons:

• Requires manual configuration to switch to user-defined networks.
  

Default Value:

By default, Docker uses the docker0 bridge network unless a user-defined network is specified.

Pre-requisites:

• Administrative privileges to manage Docker networks.
  

• Access to Docker's configuration to modify network settings.
  

Remediation:

Test Plan:

Using AWS Console:

1. Log in to the EC2 instance running Docker.
   

2. Check the default bridge network configuration using the following command:

docker network inspect bridge

3. Verify that the network name is docker0, which is the default bridge network.
   

Using AWS CLI:

1. Connect to the EC2 instance where Docker is running.

2. Run the following command to inspect the bridge network:

docker network inspect bridge

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   

2. Create a new user-defined bridge network with the following command:

docker network create --driver bridge my_bridge_network

3. Run containers using the newly created network:

docker run --network my_bridge_network ...

Using AWS CLI:

1. Use SSM to create a user-defined bridge network and run containers.
   

2. Run the following command:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker network create --driver bridge my_bridge_network && docker run --network my_bridge_network ..."]'

Backout Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   

2. Revert back to using the default docker0 bridge network by running containers with:
   

docker run --network bridge ...

Using AWS CLI:

1. Use SSM to revert to the default docker0 bridge network.
   

2. Run the following command:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run --network bridge ..."]'

References:

• Docker Networking Documentation

• CIS Docker Benchmark v1.7