Profile Applicability:

  • Level 1

Description:

Only the ports required for the container's functionality should be exposed to the host system. Exposing unnecessary ports can increase the attack surface and risk the container's security by allowing unauthorized access.

Rationale:

Limiting the exposed ports on containers reduces the potential vectors for external threats. Containers should follow the principle of least privilege, and only the necessary ports for their service should be accessible.

Impact:

Pros:

  • Reduces the attack surface by limiting open ports.

  • Enhances security by ensuring that only necessary communication channels are available.

Cons:

  • May require careful configuration and review to ensure that all required services can still communicate effectively.

Default Value:

By default, Docker exposes no ports unless explicitly specified using the -p or --publish options during container creation.

Pre-requisites:

  • Administrative access to Docker containers and host systems.

  • Knowledge of the services running inside containers to configure which ports need to be exposed.

Remediation:

Test Plan:

Using AWS Console:

  1. Navigate to the EC2 instance running Docker.
  2. Review the Docker container's configuration (e.g., docker inspect <container_id>).
  3. Ensure that only necessary ports are listed under the Ports section.

Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.
  2. Run the following command to list all exposed ports for a specific container:
    docker container inspect <container_id> --format '{{ .HostConfig.PortBindings }}'


Implementation Plan:

Using AWS Console:

  1. Connect to the EC2 instance running Docker.
  2. When running or creating a container, ensure that only required ports are exposed:
       Use the     -p or --publish option to expose only necessary ports, such as:
    docker run -d -p 8080:8080 my-container

    Do not expose unnecessary ports unless required for the application.

Using AWS CLI:

  1. Use SSM to remotely run the necessary docker run command with only the required ports:
    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run -d -p 8080:8080 my-container"]'


Backout Plan:

Using AWS Console:

  1. Connect to the EC2 instance running Docker.
  2. If additional ports were exposed, stop and remove the container, and restart it with the correct port configuration:
docker stop <container_id>
docker rm <container_id>
docker run -d -p <required_ports> my-container

Using AWS CLI:

  1. Use SSM to stop the container and run it again with the corrected port configuration:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker stop <container_id> && docker rm <container_id> && docker run -d -p 8080:8080 my-container"]'

References: