Profile Applicability:

  • Level 2 

Description:

Content trust ensures that images pulled from a Docker registry are digitally signed, providing the ability to verify the authenticity and integrity of the images before they are used. By default, content trust is disabled.

Rationale:

Enabling content trust ensures that Docker images are signed and can be verified for authenticity. This provides confidence that the image has not been tampered with and that it originates from a trusted publisher.

Impact:

Pros:

  • Ensures that Docker images are signed and verified before usage, reducing the risk of using compromised or untrusted images.

Cons:

  • May require additional configuration and the management of trust keys.

  • Restricts the use of Docker images unless they are signed, which could impact workflows if not managed properly.

Default Value:

By default, content trust is disabled.

Pre-requisites:

  • Ensure Docker is installed and running on the system.

  • Verify that the Docker client is configured to allow the use of trusted images.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker.

  2. Check the environment variable DOCKER_CONTENT_TRUST:

    Run the command echo $DOCKER_CONTENT_TRUST.
It should return 1 if content trust is enabled.

Using AWS CLI:

  1. Connect to the EC2 instance running Docker.

  2. Run the following command to verify if Docker content trust is enabled:

    echo $DOCKER_CONTENT_TRUST

Implementation Plan:

Using AWS Console:

  1. Connect to the EC2 instance.

  2. Enable content trust by setting the DOCKER_CONTENT_TRUST environment variable:

    Run export DOCKER_CONTENT_TRUST=1 in the terminal.

  3. To make this setting persistent across logins, add the above export command to the ~/.bashrc or ~/.bash_profile file.

Using AWS CLI:

  1. Use SSM to enable content trust on remote EC2 instances:

  2. Run the following command:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \"export DOCKER_CONTENT_TRUST=1\" >> ~/.bashrc && source ~/.bashrc"]'

Backout Plan:

Using AWS Console:

  1. Connect to the EC2 instance.h b

  2. Disable content trust by running:

    unset DOCKER_CONTENT_TRUST

  3. To make this change permanent, remove or comment out the export DOCKER_CONTENT_TRUST=1 line in the ~/.bashrc or ~/.bash_profile file.

Using AWS CLI:

  1. Use SSM to disable content trust remotely:

  2. Run the following command:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["unset DOCKER_CONTENT_TRUST"]'

References: