iCompaas Support

Profile Applicability:

• Level 1
  

Description:

Docker Swarm auto-lock mode enables an additional layer of security by locking the manager nodes. When this mode is enabled, an unlock key is required to start the manager node after a restart or a crash, ensuring that unauthorized access is prevented.

Rationale:

Enabling auto-lock mode on a Swarm manager node is a critical security measure. It ensures that even if an attacker gains access to a manager node, they cannot take control or modify the Swarm configuration without the unlock key. This adds protection for the secrets and other sensitive configurations in the Swarm.

Impact:

Pros:

• Enhances security by preventing unauthorized access to the Swarm manager.
  

• Protects the integrity of secrets and configurations in the cluster.
  

Cons:

• The unlock key needs to be securely managed and stored, as losing it may result in an inability to restart the manager nodes.
  

Default Value:

By default, auto-lock is not enabled on Swarm manager nodes.

Pre-requisites:

• Swarm mode must be enabled.
  

• Access to Docker Swarm manager node with administrative privileges.
  

• A secure method of storing the unlock key is required.
  

Remediation:

Test Plan:

Using AWS Console:

1. Navigate to the EC2 instance running Docker Swarm manager.
   

2. Check if auto-lock mode is enabled by running:
   

docker swarm unlock-key

3. If it’s not enabled, ensure you configure it as per the steps below.
   

Using AWS CLI:

1. Connect to the EC2 instance running Docker Swarm manager.
   

2. Run the following command to verify the current unlock key:
   

docker swarm unlock-key

Implementation Plan:

Using AWS Console:

1. Connect to the EC2 instance running Docker Swarm manager.
   

2. Run the following command to enable auto-lock:
   

docker swarm init --autolock

3. After the Swarm manager is initialized, securely store the unlock key displayed by Docker.
   

Using AWS CLI:

1. Use SSM to remotely enable auto-lock mode on the Docker Swarm manager.
   

2. Run the following command:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker swarm init --autolock"]'

3. Securely store the unlock key displayed by Docker.
   

Backout Plan:

Using AWS Console:

1. Connect to the EC2 instance running Docker Swarm manager.
   

2. Disable auto-lock mode using the following command:
   

docker swarm unlock

3. Ensure that no changes are made to the Swarm configuration that would compromise its security.
   

Using AWS CLI:

1. Use SSM to remotely disable auto-lock mode on the Docker Swarm manager.
   

2. Run the following command:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker swarm unlock"]'

References:

• CIS Docker Benchmark v1.7
  

• Docker Documentation: https://docs.docker.com/