Top 15 Container Security Best Practices

*AWS-Specific Implementation (EKS, ECR, ECS) *

1. Use Minimal Base Images (AWS)

EKS / ECS

Use minimal images when building containers deployed to EKS or ECS.

Recommended

• Distroless
• Alpine
• AWS-provided minimal images (for Lambda container workloads)

Why AWS cares

• Smaller images = faster pulls from ECR
• Reduced blast radius in shared nodes (EKS)

Example

FROM public.ecr.aws/distroless/base-debian12
COPY app /app
CMD ["/app"]

---

2. Scan Images for Vulnerabilities (Amazon ECR)

Amazon ECR Enhanced Scanning

Amazon ECR provides native vulnerability scanning using Inspector.

Enable scanning

aws ecr put-registry-scanning-configuration \
  --scan-type ENHANCED \
  --rules '[{"scanFrequency":"CONTINUOUS_SCAN"}]'

What you get

• CVE detection
• Severity ratings
• Integration with AWS Security Hub

---

3. Sign and Verify Images (EKS + ECR)

AWS + Cosign

Use Cosign with ECR and enforce verification via Kubernetes admission controllers.

Sign image

cosign sign \
  --key awskms:///alias/ecr-signing-key \
  123456789012.dkr.ecr.us-east-1.amazonaws.com/app:latest

Verify in EKS

• Use Kyverno or Gatekeeper to block unsigned images

Benefit
Protects against supply chain attacks

---

4. Run Containers as Non-Root (EKS & ECS)

EKS

securityContext:
  runAsNonRoot: true
  runAsUser: 1000

ECS Task Definition

"user": "1000"

AWS impact

• Prevents privilege escalation on worker nodes
• Aligns with Pod Security Standards (restricted)

---

5. Implement Resource Limits (EKS & ECS)

EKS

resources:
  requests:
    cpu: "250m"
    memory: "256Mi"
  limits:
    cpu: "500m"
    memory: "512Mi"

ECS

"cpu": 512,
"memory": 1024

Why this matters in AWS

• Prevents noisy-neighbor issues
• Improves cluster stability
• Reduces autoscaling anomalies

---

6. Use Read-Only File Systems (EKS)

securityContext:
  readOnlyRootFilesystem: true

AWS Security Benefit

• Stops malware persistence
• Blocks runtime tampering
• Reduces blast radius in shared EKS nodes

---

7. Never Store Secrets in Images (AWS Secrets Manager)

EKS

Use Secrets Manager + IRSA

env:
  - name: DB_PASSWORD
    valueFrom:
      secretKeyRef:
        name: db-secret
        key: password

ECS

"secrets": [
  {
    "name": "DB_PASSWORD",
    "valueFrom": "arn:aws:secretsmanager:..."
  }
]

Why AWS recommends this

• Central rotation
• IAM-based access
• Audit logging via CloudTrail

---

8. Enable Runtime Security Profiles (EKS)

Seccomp Example

securityContext:
  seccompProfile:
    type: RuntimeDefault

Advanced

• Combine with Falco on EKS
• Stream alerts to CloudWatch or SIEM

---

9. Use Multi-Stage Builds (ECR Optimization)

AWS Advantage

• Faster ECR pulls
• Lower storage costs
• Fewer vulnerabilities detected

FROM node:22 AS build
RUN npm run build

FROM public.ecr.aws/distroless/nodejs22
COPY --from=build /app /app
CMD ["app.js"]

---

10. Network Segmentation (EKS + VPC)

Kubernetes Network Policy

policyTypes:
- Ingress
- Egress

AWS Layer

• Security Groups for Pods (EKS)
• Private subnets
• VPC flow logs

Outcome
Prevents lateral movement inside the cluster.

---

11. Use Trusted Registries (ECR)

Best Practice

• Disable public registry pulls
• Allow only ECR

EKS Admission Policy

• Block images not from *.amazonaws.com

Why
Public images are a major malware vector.

---

12. Drop Linux Capabilities (EKS & ECS)

EKS

capabilities:
  drop:
    - ALL

ECS

"linuxParameters": {
  "capabilities": {
    "drop": ["ALL"]
  }
}

AWS Security Gain

• Reduces kernel attack surface
• Limits container breakout attempts

---

13. Logging & Monitoring (AWS Native)

EKS

• CloudWatch Container Insights
• Fluent Bit
• Falco → CloudWatch Logs

ECS

• awslogs driver
• FireLens for advanced routing

Security Use Case

• Detect suspicious syscalls
• Audit container behavior

---

14. Image Lifecycle Management (ECR)

ECR Lifecycle Policy

{
  "rules": [
    {
      "rulePriority": 1,
      "description": "Expire untagged images after 30 days",
      "selection": {
        "tagStatus": "untagged",
        "countType": "sinceImagePushed",
        "countUnit": "days",
        "countNumber": 30
      },
      "action": { "type": "expire" }
    }
  ]
}

Benefits

• Reduces attack surface
• Controls storage cost
• Forces fresh rebuilds

---

15. Prevent Container Escape (EKS & ECS)

EKS

• No privileged pods
• No hostPath mounts
• Enforce Pod Security Admission (restricted)

ECS

"privileged": false

AWS Security Impact
Container escape = EC2 compromise
These controls block the most dangerous attack vector.

---

AWS Security Alignment

These 15 practices directly map to:

• AWS Well-Architected Framework – Security Pillar
• EKS Best Practices Guide
• Zero Trust container principles
• CIS Kubernetes Benchmarks

---

Final AWS-Focused Takeaway

If you are running containers on EKS, ECS, or ECR, these controls are not optional hardening—they are baseline production requirements. When applied together, they significantly reduce:

• Misconfiguration risk
• Supply chain attacks
• Runtime compromises
• Cloud security incidents

Happy learning
Prithiviraj Rengarajan
DevOps Engineer