Insights from 68 People Who Care About AWS Container Security
In late 2019, Amazon Web Services’ Developer Advocate Michael Hausenblas surveyed 68 people who use containers on AWS. The publicly available results provide several anecdotal clues about adoption patterns among customers of the world’s largest cloud provider. Among this small group of containers users, half are using Amazon Elastic Kubernetes Service (EKS) on EC2 instance. AWS Fargate also has a strong presence but is not exclusively a Kubernetes story. Instead, many use Fargate to deploy containers via either Amazon Elastic Container Service (ECS) or EKS.
The study also indicates that many companies need to mature the state of their network and security policies for containers. While few non-AWS services are being utilized for container security. While 62% scan container images, state of container security is still relatively immature. For example, only 17 of 39 Kubernetes users (43%) have security policies for Kubernetes pods. We are seeing signs that service meshes are starting to be used, although it is unclear whether this is mostly for traffic management as opposed to enforcing security policies. You can find below additional insights.
- Amazon ECS without Kubernetes is still common. 29 of 68 (43%) are still not using Kubernetes at all, which is remarkably to the usage level reported in a Datadog report last year. Of this group, 20 (69%) are running containers on AWS via ECS on top of EC2. Including Kubernetes users, 58% (40 of 68) of respondents utilize ECS on either EC2 or Fargate.
- Amazon EKS on EC2 is dominant. 35 of 39 (90%) Kubernetes users are running containers on EKS deployed on top of EC2. Furthermore, only 4 of 39 (10%) of the Kubernetes users are exclusively taking a DIY (do-it-yourself) approach as opposed to utilizing EKS.
- Fargate use is substantial. 31 of 68 (46%) respondents use Fargate. This is much higher than the 19% Fargate uptake among AWS container organizations that we wrote about in November 2019.
- Fargate and Kubernetes can co-exist. 17 of 31 (55%) Fargate users also utilize Kubernetes. Looking at the data a different way, 17 of 39 (44%) of Kubernetes using respondents are also utilizing Fargate. All six respondents that deploy EKS on Fargate also do so on EC2, but only one respondent is using both ECS and EKS to deploy containers with Fargate.
Security and Networking
- Container scanning is not universal. 62% (41 of 67) are scanning container images. At 73% (30 of 41), native ECR scanning is the most common approach. In addition, 36% (20 of 67) scan container images via a third-party like Aqua Security. Only 30% (9 of 30) users of AWS’s native scanning capability are also scanning container images with another tool. Only 17% are scanning containers at runtime, with the Cloud Native Computing Foundation’s Falco being the most common way this is being done.
- Calico is popular for implementing Kubernetes policies. Calico was cited by two-thirds (18 of 27) of the people that described how they manage Kubernetes network policies. Among these Calico users, 76% (13 of 18) have policies governing Kubernetes pods.
- Service meshes used with AWS are emerging. Network policies are managed via service meshes by 37% (10 of 27) of the people that described how they manage Kubernetes network policies. Half of these service mesh users are also managing pod-level IAM (identity and access management) for service accounts. It is unclear if the AWS App Mesh is the service mesh of choice, but it is designed to work with the AWS IAM for service accounts.
Amazon Web Services and the Cloud Native Computing Foundation are sponsors of The New Stack.
Feature image by Gerd Altmann from Pixabay.