To enhance security around its newly-launched Docker Container Registry, Amazon Web Services offers the ability to scan containers for security vulnerabilities, thanks to a partnership with Twistlock.
AWS’ EC2 Container Registry, which AWS announced in October, is among a growing number of cloud services that rely on Twistlock to help users secure their containers. Last month, the Google Container Registry added Twistlock, and Docker supports the technology for its own registry, as well.
“Many customers already have a multi-cloud strategy and this platform-independent approach is an important way to provide consistent security across all those clouds,” wrote John Morello, Twistlock’s chief technology officer, in a blog post announcing the new offering. “One Twistlock instance can protect containers, hosts and images across all the various clouds your organization is running on.”
Twistlock is one of a number of companies seeking to address the issue of securing containers, which has become an increasing concern as more container-based workloads are moving into production. Both CoreOS and Docker have released their own scanners, both of which compare the contents of a container against a database of known vulnerabilities.
Twistlock’s service also scans for vulnerabilities and does so while folded into the user’s continuous integration process. In addition, Twistlock also offers an advanced access control, using permissions set by the organization’s Lightweight Directory Access Protocol (LDAP) -based directory. The service also offers the ability to monitor containers in operation, to guard against any malicious activity happening during runtime.
“Amazon ECR allows Amazon users to use Amazon credentials to handle images within AWS Container Registry. Twistlock can now also handle Amazon credentials and authentication tokens. Using Amazon credentials, you can point [Twistlock] to scan images in the AWS Container Registry regardless where Twistlock is installed,” wrote Chenxi Wang in a follow-up e-mail.
To get started on Twistlock, the user needs to install the Twistlock software, which runs inside a container. The software is available on the Amazon partner network. Then import a Kerberos client certificate to Twistlock, so the software can proxy Docker client to Docker daemon traffic. No agents are required on the host, nor do the containers being monitored need any additional preparation. Everything is done through the Docker and Linux APIs.
More details on how to implement the service can be found on the company’s web site.
CoreOS and Docker are sponsors of The New Stack.
Feature Image via Pixabay.