Profile Applicability:

  • Level 1

Description:

When running containers, it is important to bind incoming container traffic to a specific host interface. This helps limit the exposure of the container to only necessary network interfaces, reducing the attack surface.

Rationale:

Binding traffic to a specific host interface ensures that containers are not exposed to unnecessary network interfaces. This minimizes the risk of external attacks targeting unnecessary or unintended network paths.

Impact:

Pros:

  • Reduces the attack surface by limiting exposure of container services to only the required network interfaces.

  • Ensures that container traffic is isolated, enhancing security.

Cons:

  • Requires proper network configuration and management.

  • Misconfiguration can lead to network connectivity issues for containers.

Default Value:

By default, Docker binds container traffic to all available network interfaces on the host.

Pre-requisites:

  • Administrative privileges on the host machine.

  • Knowledge of Docker networking and host interfaces.

Remediation:

Test Plan:

Using AWS Console:

  1. Navigate to the EC2 instance running Docker.
  2. Check the Docker container configuration using the docker inspect <container_id> command.
  3. Verify the NetworkSettings section to confirm that the container is bound to the desired network interface.

Using AWS CLI:

  1. Connect to the EC2 instance running Docker.
  2. Run the following command to inspect the container's network configuration:
docker inspect --format '{{ .NetworkSettings.Networks }}' <container_id>


Implementation Plan:

Using AWS Console:

  1. Connect to the EC2 instance.
  2. Use the docker run command with the --network flag to bind the container to a specific host interface:
  3. Ensure the correct network interface is specified, such as host or a custom network.

Using AWS CLI:

  1. Use SSM to remotely execute the docker run command to bind the container to a specific network interface:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run --network <network_name> <image_name>"]'


Backout Plan:

Using AWS Console:

  • Connect to the EC2 instance.
  • Revert the container to use the default network interface by stopping and removing the container, then restarting it without the --network flag.

Using AWS CLI:

  1. Use SSM to revert the container's network configuration to the default setting:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run <image_name>"]'


References: