iCompaas Support

Profile Applicability:

• Level 1
  

Description:

Docker Swarm uses overlay networks to allow containers in different hosts to communicate. Ensuring that these overlay networks are encrypted provides security by protecting sensitive data while in transit between containers across different nodes in the swarm.

Rationale:

Overlay network encryption ensures that data transmitted between Docker containers in different hosts is secured, preventing eavesdropping or tampering by unauthorized entities. This is critical for protecting sensitive application data within a multi-host Docker Swarm environment.

Impact:

Pros:

• Encrypts all communication between containers across different hosts, ensuring confidentiality and integrity.
  

• Improves security posture by reducing the potential attack surface.
  

Cons:

• May slightly impact performance due to the overhead of encrypting and decrypting network traffic.
  

• Requires additional resources for the management of encryption keys and certificates.
  

Default Value:

By default, Docker Swarm does not enable encryption for overlay networks. It must be explicitly configured during network creation.

Pre-requisites:

• Docker Swarm must be initialized.
  

• Appropriate security and access controls for Docker Swarm and nodes.
  

• A secure method to store and manage encryption keys.
  

Remediation:

Test Plan:

Using AWS Console:

1. Navigate to the EC2 instance running Docker Swarm.
   

2. Check if the overlay networks are encrypted by running the following command:
   

docker network inspect <network_name>

3. Ensure the output contains "Encrypted": true.
   

Using AWS CLI:

1. Connect to the EC2 instance where Docker Swarm is running.
   

2. Run the following command to inspect the Docker overlay network:

docker network inspect <network_name> --format '{{json .Options}}'

3. Verify that the output shows the encryption option is enabled.
   

Implementation Plan:

Using AWS Console:

1. On the EC2 instance, create a new encrypted overlay network using the following Docker command:
   

docker network create --driver=overlay --opt encrypted <network_name>

2. Ensure the overlay network is created with encryption enabled by inspecting it as shown in the test plan.
   

Using AWS CLI:

1. Use Docker CLI commands within SSM to create the encrypted overlay network:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker network create --driver=overlay --opt encrypted <network_name>"]'

Backout Plan:

Using AWS Console:

1. To revert the network encryption, remove the encrypted overlay network by running the following:
   

docker network rm <network_name>

2. Recreate the network without the encryption option if necessary:
   

docker network create --driver=overlay <network_name>

Using AWS CLI:

1. Use SSM to remove the encrypted overlay network and recreate it without encryption:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker network rm <network_name> && docker network create --driver=overlay <network_name>"]'

References:

• Docker Swarm Network Encryption
  

• CIS Docker Benchmark v1.7