Containers

Introducing server-side encryption of ephemeral storage using AWS Fargate-managed keys in AWS Fargate platform version 1.4

This post was contributed by Yuling Zhou, Eduardo Lopez Biagi, and Paavan Mistry.

Today, we introduced server-side encryption of ephemeral storage in AWS Fargate platform version 1.4. The ephemeral task storage is automatically encrypted with industry-standard AES-256 encryption algorithm using AWS Fargate-managed keys for the updated platform version. This feature requires no additional configuration from customers for new Amazon ECS tasks and services launched in platform version 1.4. Amazon EKS pods launched on AWS Fargate use platform version 1.4, hence any pods launched starting today will also use encrypted ephemeral storage with Fargate-managed keys.

Customers building services on AWS Fargate might require encryption of data at rest that meets a specific classification or security and compliance requirement that is associated with a particular application, workload, or environment. Encrypting data at rest is vital for regulatory compliance to ensure that sensitive data saved on disks is protected against unauthorized access. Some compliance regulations, such as PCI DSS and HIPAA, require that data at rest be encrypted throughout the data lifecycle. To gather input from our customers for encrypting data at rest for AWS Fargate ephemeral storage, we sought feedback last year through AWS containers roadmap issue #314.

Previously, to encrypt data written to task storage, AWS Fargate customers needed to design and implement data encryption controls within their application architecture in order to meet the organizational security and compliance requirements. This feature enables customers to meet their organizational or regulatory security and compliance requirements as ephemeral task storage is now encrypted at rest using Fargate-managed keys. Using this feature ensures that data written to ephemeral storage attached to your AWS Fargate tasks and services is stored in encrypted ephemeral storage with no action required by you. This adds additional layer of security to tasks running on AWS Fargate for defense in depth.

For AWS Fargate, following types of storage are supported:

  1. Ephemeral storage for nonpersistent storage.
  2. Amazon EFS volumes for persistent storage.
Storage Type AWS Fargate Platform Version (PV) 1.4
Amazon ECS Tasks Amazon EKS Pods
Ephemeral storage (20GB with server-side encryption) Now available in updated PV 1.4 Now available for newly launched Amazon EKS pods
Amazon EFS volumes (for persistent storage) Supported We’re working towards supporting this (#826)

Server-side encryption of ephemeral storage has been enabled for AWS Fargate via a release update to platform version 1.4. With this update, as shown in the table above, new Amazon ECS tasks launched in PV 1.4 will benefit from server-side encryption of the 20GB ephemeral storage using AWS Fargate-managed keys. Amazon EKS pods launched in AWS Fargate from today will also use this feature as Amazon EKS uses the updated AWS Fargate PV 1.4.

To use Amazon EFS volumes for persistent storage with AWS Fargate, refer to the recent three part blog series on this topic by my colleague, Massimo Re Ferre. For encrypting EFS volumes in general, including data at rest, refer to the Encrypting File Data with Amazon EFS white paper. Refer to this walkthrough for enforcing encryption on an Amazon EFS file system at rest.

Example: To launch an Amazon ECS task on AWS Fargate PV 1.4 with ephemeral storage encryption

In this example, you may have a webserver task definition that could be part of a payment card data processing architecture.

{
   "containerDefinitions": [ 
      { 
         "command": [
            "/bin/sh -c \"echo '<html> <head> <title>Payment Processing Web Interface</title> <style>body {margin-top: 40px; background-color: #333;} </style> </head><body> <div style=color:white;text-align:center> <h1>Amazon ECS Sample App</h1> <h2>Congratulations!</h2> <p>Your application is now running on a container in Amazon ECS.</p> </div></body></html>' >  /usr/local/apache2/htdocs/index.html && httpd-foreground\""
         ],
         "entryPoint": [
            "sh",
            "-c"
         ],
         "essential": true,
         "image": "httpd:2.4",
         "logConfiguration": { 
            "logDriver": "awslogs",
            "options": { 
               "awslogs-group" : "/ecs/fargate-task-definition",
               "awslogs-region": "us-east-1",
               "awslogs-stream-prefix": "ecs"
            }
         },
         "name": "sample-fargate-app",
         "portMappings": [ 
            { 
               "containerPort": 80,
               "hostPort": 80,
               "protocol": "tcp"
            }
         ]
      }
   ],
   "cpu": "256",
   "executionRoleArn": "arn:aws:iam::012345678910:role/ecsTaskExecutionRole",
   "family": "fargate-task-definition",
   "memory": "512",
   "networkMode": "awsvpc",
   "requiresCompatibilities": [ 
       "FARGATE" 
    ]
}

As this task is launched in the ECS cluster using the AWS CLI command below, it will use the 20GB ephemeral storage encrypted with Fargate-managed encryption keys for platform version 1.4 with no additional configuration required from customers.

aws ecs run-task --cluster <clustername> \
--task-definition <taskdefinition>:<version> \
--count 1 --launch-type "FARGATE" \
--platform-version 1.4.0 \
--network-configuration "awsvpcConfiguration={subnets=[<subnetid>],securityGroups=[<securitygroupid>]}" \ 
--region <region>

Update existing tasks and pods to use server-side encryption for ephemeral storage

Scenario 1: For Amazon ECS services and tasks using Fargate launch type currently running on platform version 1.4

If you have a service with running tasks on platform version 1.4 prior to this launch, you will need to relaunch your service by choosing Force new deployment. For more information, see updating a service. Your tasks will be redeployed with server-side encryption enabled ephemeral storage on the updated platform version 1.4.

Scenario 2: For Amazon ECS services and tasks using Fargate launch type currently running on platform version 1.3 (LATEST) or earlier

If you have a service with running tasks on platform version 1.3 or earlier, you can update your service by specifying platform version 1.4, and choosing Force new deployment. Your tasks will be redeployed with the latest platform version. For more information, see updating a service.

Scenario 3: For Amazon EKS pods using AWS Fargate launch type

If you have pods or deployments in Amazon EKS clusters using AWS Fargate launch type, you’ll need to restart your pods or deployments for them to use the updated AWS Fargate platform version 1.4.

Related planned updates and documentation references

We recognize that encryption implementation has various ownership and control requirements from customers, especially for key management. We are working on a feature to introduce customer master keys (CMKs) stored in AWS Key Management Service (AWS KMS) for encryption of ephemeral storage. This will introduce additional mechanisms for customers to control CMK origin, ownership, and audit amongst other benefits offered by AWS KMS to help with key management controls.

We have included AWS Fargate document references below that may be useful for you in relation to this announcement:

You can start using encryption at rest feature today on AWS Fargate platform version 1.4. We welcome your feedback through our AWS containers roadmap channel and we’re excited for you to use this feature to build secure and compliant AWS Fargate applications!

If you are new to AWS Fargate, this is a good starting point to start using it and understanding what it means to run containers without worrying about the infrastructure.

 

Yuling Zhou

Yuling Zhou

Yuling is a Software Development Engineer for Containers at AWS

Eduardo Lopez

Eduardo Lopez

Eduardo is a Senior Software Development Engineer on the AWS Fargate team.