Amazon ECS Fargate: Docker Container Deployment demystified with Security Focus

In this blog, we will learn how to deploy docker containers using Amazon ECS Fargate. After that, we will do some reconnaissance to find some sensitive information. For this blog and demonstration, I am using the Damm Vulnerable Web Application. We will deploy its docker image to AWS and will try to run the recon tool to find some juicy information.?

Amazon ECS : It is a fully managed container orchestration service that helps you to more efficiently deploy, manage, and scale containerized applications.

AWS Fargate : It is a service, using with Amazon ECS to run containers without managing servers or clusters of Amazon EC2 instances. So, you don't have to provision, configure, or scale clusters to run the containers.

Following are the steps for deploying docker image on AWS Fargate.

1. You can create docker image of your application and push it to Amazon Elastic Container Registry.
2. Now you have to create a task defination. In that, define parameters such as docker image URI, CPU, memory, Port Mapping, security groups, network settings, etc.
3. Set up your ECS cluster from AWS Management Console.
4. Now create a ECS Services to manage running instances of your task definitions. If you have to run only a single container, you can create a task.
5. Configure load balancing for high availability. In this blog, we haven't covered load balancer.
6. Using Public IP from the running task configuration, we can access the application.
7. This IP address can be behind the DNS in real-time use cases.

Now, let us pull Damm vulnerable Web app image from DockerHub.?

Login to your AWS Management Console and create an Amazon ECR Repository.?

Use the below command to retrieve an authentication token and authenticate your Docker client to your registry. We can see in the below image that our login succeeded.?

aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 685142042446.dkr.ecr.us-east-1.amazonaws.com

Now we will push our docker image to Amazon ECR repository using following command -?

docker tag webapp:latest 685142042446.dkr.ecr.us-east-1.amazonaws.com/webapp:latest

The above image shows that we have successfully pushed the image to our repository on Amazon ECR.?

Now We will create ECS Cluster.?

ECS Cluster: An Amazon ECS cluster is a logical grouping of tasks or services.

Task Defination: A task definition is a blueprint for your application. It is a text file in JSON format that describes the parameters and one or more containers that form your application.

While creating Task Defination, we will choose, launch type as Fargate, which is serverless compute for containers.?

In the below image, we can see that our Task Defination is successfully created.?

In Amazon ECS, a task is like a running instance of your application blueprint, created from a task definition. You define how many of these applications you want to run (services) within a cluster, and ECS automatically manages them. An ECS service ensures your desired number of applications are running at all times, even if one stops unexpectedly. In our case, we are running only one container so, we will create only a task.?

We are able to see that the task has launched on and last status is running.?

We will check the Public IP.?

Try making a cuRL request to check. We can access our Web Application. In a real organization's use case, this IP address will be?behind a DNS. But currently, for this blog, we are not using it.

Now using a Fuzzing tool OWASP DirBuster from Kali Linux we can Fuzz/Directory bruteforce.?

Enter the URL, path to wordlist, selected number of threads, select required options, click on start.??

We have found some juicy information on https://54.158.166.93/var/www/html/config/config.inc.php

Following are some security best practices for deploying images on containers:?

• Use trusted base images.
• Principle of least privilege for permissions should be applied.
• Scan container images for vulnerabilities before deployment.
• Store container images in private repositories and restrict access.
• Implement encryption for data at rest and in transit.
• Monitor container activities and set up logging.
• Automate security updates and patching processes.
• Follow container hardening best practices.
• Sign container images to ensure integrity and authenticity.
• Implement role-based access control (RBAC) using IAM.
• Conduct regular security audits and assessments.

Hence in this blog, we learn about deploying container images on Amazon ECS Fargate and then using OWASP Dirbuster tool, we also did directory bruteforcing to find sensitive information like database credentials. We also learnt about security best practices for deploying docker image.

Let's connect,

https://sankalpparanjpe.com/

https://www.dhirubhai.net/in/sankalp-s-paranjpe/