Profile Applicability:

  • Level 1 

Description:

Docker containers should only use base images from trusted and verified sources, such as official repositories or trusted private registries. This ensures that containers do not run with vulnerable or unverified code that could pose a security risk.

Rationale:

Using untrusted base images could introduce security vulnerabilities into your containers. These images could contain malicious code, outdated software, or vulnerabilities that can be exploited. By using only trusted images, you significantly reduce the risk of introducing security issues into your containerized environment.

Impact:

Pros:

  • Reduces the likelihood of vulnerabilities, malware, or misconfigurations within containers.

  • Enhances overall security by ensuring only tested, secure images are used.

Cons:

  • Requires maintaining a process for verifying image sources and managing a list of trusted images, which can add administrative overhead.

Default Value:

By default, Docker allows pulling images from public repositories, such as Docker Hub, which may contain both trusted and untrusted images.

Pre-requisites:

  • Administrative privileges on the Docker host system.

  • A process for verifying and managing trusted images, either through Docker Hub, private registries, or signed images.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker.

  2. Inspect the base images used by the containers by checking the Dockerfile or inspecting the running containers:

    docker ps --format "{{.Image}}"
docker history <image-name>

Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.

  2. Run the following command to check the base images being used:

    docker ps --format "{{.Image}}"
docker history <image-name>

Implementation Plan:

Using AWS Console:

  1. Ensure that only trusted base images are used in Dockerfiles. A Dockerfile should specify images from trusted sources, such as official Docker Hub repositories or private registries:

  2. If using private registries, configure Docker to only allow images from trusted sources by using --insecure-registry or configuring the Docker daemon to restrict access to specific registries.

  3. Review and update existing container images to use official or otherwise trusted base images.

Using AWS CLI:

  1. Use SSM to ensure only trusted base images are used in Dockerfiles and for existing containers:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker ps --format \"{{.Image}}\""]'

Backout Plan:

Using AWS Console:

  1. If an untrusted base image is discovered, update the Dockerfile or container configuration to use a trusted base image.

  2. Rebuild the container with the trusted base image:

    docker build -t <image-name> .

  3. Redeploy the container using the updated image.

Using AWS CLI:

  1. Use SSM to pull a trusted base image for any untrusted containers:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker pull <trusted-image-name>"]'

References: