AWS Partner Network (APN) Blog
How Anchore on AWS can help customers achieve FedRAMP Compliance
By Jono Bergquist, Product Marketing – Anchore
By Luis Morales, Partner Solutions Architect – AWS
Anchore |
In this post, we will showcase the power of the Anchore container security solution on AWS and how it can support customers like Cisco Umbrella in achieving a FedRAMP Agency ATO.
FedRAMP vulnerability scanning requirements for containers include:
- Hardened images and compliance entire container environment.
- Automated build pipeline with policy enforcement.
- Vulnerability scanning in the pipeline and registry.
- Security sensors to prevent malware in the pipeline, registry, and runtime.
- Registry monitoring with alerts on policy non-compliance.
- Asset management with a full inventory of containers in production.
Anchore, an AWS Partner specializing in container security supported Cisco Umbrella. Anchore Enterprise’s solution integrated seamlessly with Cisco’s existing infrastructure and helped it meet all six of the above FedRAMP requirements.
Cisco Umbrella for Government delivers advanced, cloud-native cybersecurity, ensuring protection and compliance for federal, state, and local government agencies to support their mission offered[ST1] by Cisco Systems, a leading global technology company. These solutions help organizations with the most stringent security and compliance requirements by protecting their networks, applications, and data in the cloud by providing advanced threat detection, prevention, and response capabilities. Given the large number of security services these customers provide, meeting the evolving security and compliance of their own systems and their customers’ requirements is a complex task.
Container Delivery Environment
Cisco Security Cloud’s build and deployment environment includes three critical services:
- AWS CodePipeline
- Amazon Elastic Container Registry (Amazon ECR)
- Amazon Elastic Kubernetes Service (Amazon EKS)
- Amazon Elastic Container Service (Amazon ECS)
Anchore Enterprise’s integration with these services allowed Cisco to maintain a holistic security posture throughout their container delivery pipeline.
Additional High-Security Requirements
Not only did Cisco Security Cloud choose Anchore start the FedRAMP process, but the team needed to deploy Anchore into an environment that had to meet a number of other compliance standards such as the underlying Amazon Elastic Compute Cloud (Amazon EC2) nodes that backed the Amazon EKS deployment needed to maintain their Security Technical Implementation Guide (STIG) compliance; any new software couldn’t jeopardize this certification.
Anchore Enterprise was able to meet these stringent requirements and allow Cisco to move forward in its FedRAMP Agency ATO. Let’s look at how Anchore Enterprise is able to achieve these goals.
Anchore Architecture Diagram
Anchore Enterprise integrates at all major steps of the build pipeline. Below is a comprehensive diagram that shows the Anchore deployment with each of its individual services, as well as where each service integrates into the Cisco Cloud Security build pipeline.
For example, the Anchore Enterprise API is consumed by Cisco’s CodePipeline instance, while the Anchore Enterprise notification service is integrated with Cisco’s vulnerability management system, source code management, and security alerting system.
Figure 1 – Services running in a deployment of Anchore Enterprise.
Build Pipeline Integration
Anchore Enterprise can be integrated at different stages of the build pipeline process by incorporating scanning via AWS CodePipeline, Jenkins, GitHub Workflows, GitLab CI jobs, or others. During the deployment stage, Anchore serves as a Kubernetes admission controller that uses Anchore FedRAMP policy pack to block actions such as deploying unapproved images into production.
Figure 2 – Build pipeline process from code commit to build to deployment into production.
Anchore’s container scanning was integrated into the AWS CodePipeline build process through two simple API calls via its AnchoreCTL command line tool to the Anchore Enterprise instance running in Amazon EKS. Alternately, it could have been integrated via pre-built plug-in for one of the CI/CD Anchore supports or REST API calls.
Container Registry Integration
Anchore Enterprise monitors every repository and every tag within specific repositories located within Cisco’s registry. This allows Cisco to automatically detect, scan, and inspect images (authorized and/or unauthorized) in its registry. All subsequent tags within that repository in that specific registry will be watched. Any new tags that are detected within that repository are automatically scanned.
Anchore Enterprise’s container registry integration is done via service that polls the registry for changes. In order to integrate the service, you need to create a service account with a username and credential that can be added into your Anchore Enterprise configuration via the console. After the service account is provisioned and the credentials saved, you can select which images or tags to watch.
Amazon EKS Integration
Anchore Enterprise integrates into Amazon EKS in two locations:
- Prior to deployment via Kubernetes Admission Controller.
- In cluster via service called Kubernetes Automated Inventory (KAI).
Kubernetes Admission Controller
The Anchore Kubernetes Admission Controller that uses the Anchore FedRAMP policy is configured to block actions such as deploying unapproved images into production. There are three different ways to gate containers before a container enters production:
- Strict policy-based admission gating mode: Images must pass policy evaluation by Anchore Engine for admission.
- Analysis-based admission gating mode: Images must have been analyzed by Anchore Enterprise for admission
- Passive analysis trigger mode: No admission requirement, but images are submitted for analysis by Anchore Engine prior to admission. The analysis itself is asynchronous.
Figure 3 – Container deployment process.
The Anchore Kubernetes Admission Controller is deployed via Helm Chart and configured via config.json file:
- Add credentials to configuration
- Configure the Controller settings:
- Specify Anchore Enterprise endpoint
- Specify policy to reference
- Specify gating mode
- Specify selectors to define which resources to evaluate against policy
Kubernetes Automated Inventory (KAI)
KAI deploys as a pod within the customers’ clusters. It deploys as a read-only pod that interrogates the Kubernetes API to gather all of the running containers in use in all of your clusters (regardless of whether they are production or non-production clusters), and then automatically submits those images being used for analysis to the Anchore Enterprise system. This can be used easily in multi-cluster/multi-tenant FedRAMP environments.
In the context of runtime analysis, Anchore Enterprise provides a complete Software Bill of Materials (SBOM), malware scan, and policy analysis in addition to performing vulnerability scanning.
KAI is also deployed via Helm Chart.
Application Security from Build to Runtime
Anchore Enterprise performs scanning within your build pipelines, watches the images/tags within the repositories located in your registries, and watches your clusters for unauthorized software being deployed. This provides container scanning at every step of the software development lifecycle (SDLC) as well as protects against unauthorized software.
Figure 4 – Anchore Enterprise user interface.
Expanding Anchore’s Support to Amazon ECS
This deployment was so successful that after Anchore Enterprise had been deployed to protect Cisco Umbrella’s Amazon EKS environment, the team at Cisco wanted to expand the scope of the project and bring its Amazon Elastic Container Service (Amazon ECS) environment into scope.
The ECS product team worked closely with Anchore and Cisco to build support for exposing the secure hashing algorithm (SHA) hashes through an API. Now, Cisco can adopt Anchore Enterprise for its entire container ecosystem in AWS and secure FedRAMP accreditation.
SBOMs to Meet Executive Order
In addition to needing to achieve FedRAMP compliance, Cisco Umbrella also needed to address the Software Bill of Materials (SBOM) requirements outlined in Executive Order 14028: Improving the Nation’s Cybersecurity.
Anchore Enterprise automatically creates SBOMs for all scans of build artifacts, registry images, and runtime containers. Any time a component of Cisco’s SDLC interacts with Anchore Enterprise, a record of the analysis is retained as an SBOM which allows Cisco to detect drift or injection of their entire software supply chain. This allows Anchore to alert Cisco when and where they are seeing vulnerabilities or unauthorized software entering their environments.
Conclusion
The end-to-end narrative of Anchore on AWS showcases the power of a comprehensive container security solution in achieving and maintaining FedRAMP compliance. By integrating Anchore into its build process, container registries, and Kubernetes environment, you can strengthen your security posture while addressing the complex challenges of a highly-regulated environment.
Anchore’s adaptability and effectiveness in meeting high-security requirements demonstrate the value of leveraging AWS and its partners for achieving compliance goals.
If your organization faces similar challenges, or is looking to improve its container security and compliance posture, we encourage you to explore Anchore and AWS solutions to help you achieve your objectives.
Anchore – AWS Partner Spotlight
Anchore is an AWS Partner specializing in container security that automates the process of uncovering software vulnerabilities and ensuring mitigation throughout the software lifecycle.