Quick Take: Container Security on Amazon Web Services

For better or worse, how containers are used on Amazon Web Services will impact the technology’s future. So, for better or worse, it is necessary to track this, which is what AWS developer advocate and Cloud Native Computing Foundation (CNCF) ambassador Michael Hausenblas has done for the second consecutive year. The AWS Container Security Survey 2020 had 156 respondents, of which half used the Elastic Kubernetes Service (EKS) on the Elastic Cloud Compute (EC2) service. In addition, 36% are running a container service on top of AWS Fargate, but with about half of this group exclusively relying on AWS ECS.
Organizations are not using scanning as much as they could to increase container security. Although 67% use Amazon ECR, only 40% are actually using the container registry’s native capabilities to scan images. Perhaps this is because they assume AWS is already assuring the security of the images in the registry. Scanning containers at runtime is almost non-existent –70% don’t do it yet, although 17% utilize CNCF’s Falco.
When it comes to managing sensitive data, AWS’ Parameter Store feature has clearly fallen out of favor — it is used by only 26% of respondents versus 55% in the 2019 survey. Compare this usage to AWS Secrets Manager (43% in 2019 to 50% in 2020) and HashiCorp Vault (25% in 2019 to 38% in 2020). For companies that want dedicated services to handle workloads across on-premise and multicloud environments, Vault can make sense instead of relying on a dedicated service from AWS.
Several other CNCF projects were asked about, of which Open Policy Agent did particularly well with 27% of respondents saying they use the technology to enforce policies. With a vibrant open source community supporting the project, the future looks bright for Styra, the company originally behind the project. Indeed, production use of the project more than doubled in CNCF’s latest survey, going from 5% in 2019 to 11% in 2020, with another 24% evaluating it.