Aqua Security’s tools prevent container drift by continuously scanning container images and running containers against known vulnerabilities and misconfigurations, then flagging or remediating deviations from a secure baseline.
Here’s Aqua in action, showing how it detects and helps remediate drift in a Kubernetes environment:
Imagine you have a Kubernetes deployment for a web application. The deployment specifies a particular version of an Nginx image, say nginx:1.21.0. Aqua Security, integrated into your CI/CD pipeline and runtime environment, has established a baseline for this image based on your security policies.
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.21.0 # This is our baseline image
ports:
- containerPort: 80
Now, let’s simulate drift:
-
Image Rebuild without Policy Update: A developer rebuilds the
nginx:1.21.0image, perhaps to include a new application dependency or a minor OS patch. Unbeknownst to them, this rebuild introduces a new vulnerability that wasn’t present in the original1.21.0tag. Aqua, scanning this new image before it’s deployed, flags it.- Aqua UI/CLI Output:
Image: myregistry/myteam/nginx:1.21.0-patched Vulnerabilities Found: - CVE-2023-XXXX (High) - In package 'openssl' version 1.1.1n-openssl1.1.1 - Misconfiguration: 'root' user allowed to run container - Action: Aqua can be configured to block the deployment of this image if it violates policies. If it’s already deployed, Aqua will alert you.
- Aqua UI/CLI Output:
-
Runtime Drift (Package Tampering/Modification): A running container for
nginx:1.21.0is compromised, and an attacker installs a new, unauthorized tool or modifies a critical configuration file.- Aqua Runtime Security: Aqua’s runtime security agent monitors running containers for unexpected process execution, file system changes, and network connections.
- Aqua UI/CLI Output:
Alert: Unauthorized process executed in pod nginx-deployment-xxxxx Details: Process '/usr/bin/nc' (netcat) started by user 'www-data' Alert: File modified in pod nginx-deployment-xxxxx Details: File '/etc/nginx/nginx.conf' changed at 2023-10-27T10:30:00Z - Action: Aqua can trigger automated responses like terminating the pod, isolating it, or notifying security teams.
-
Configuration Drift (Kubernetes Resource Modification): Someone with excessive Kubernetes permissions directly modifies the running deployment to use a different, unapproved image tag, or changes resource limits.
- Aqua’s Kubernetes Integration: Aqua continuously monitors Kubernetes API server events and the state of deployed resources against defined policies.
- Aqua UI/CLI Output:
Drift Detected: Deployment 'nginx-deployment' in namespace 'default' Reason: Image changed from 'nginx:1.21.0' to 'nginx:latest' Policy Violation: Use of 'latest' tag is disallowed. - Action: Aqua can alert administrators or, if integrated with admission controllers, prevent the change from being applied in the first place.
The Mental Model:
Aqua operates on a layered security approach for containers:
- Image Scanning (Shift-Left): This happens pre-deployment, typically in your CI/CD pipeline. Aqua scans container images for known vulnerabilities (CVEs) in packages, malware, and compliance violations (e.g., hardcoded secrets, disallowed base images). It establishes a "golden image" or baseline for what a secure image should look like.
- Registry Scanning: Similar to image scanning, but for images stored in your container registry. This ensures that even if an image passes CI scanning, it doesn’t drift into an insecure state while sitting in the registry.
- Runtime Security: This is where Aqua observes running containers. It uses agents deployed within your Kubernetes cluster (or on hosts for non-orchestrated environments) to monitor process activity, file integrity, network traffic, and user behavior. This detects unauthorized changes or malicious activity inside the container.
- Kubernetes Security Posture Management (KSPM): Aqua analyzes your Kubernetes cluster configuration itself – RBAC, network policies, pod security policies (or their successors), and the configuration of your deployment manifests. This prevents or detects drift in the orchestration layer that could lead to insecure configurations.
The core problem Aqua solves is that containers, by their nature, are immutable in theory but can become mutable in practice through various means (malicious access, accidental misconfiguration, unmanaged updates). This "drift" from a known secure state is a major attack vector. Aqua’s continuous scanning and monitoring across the lifecycle (build, registry, runtime, orchestrator) aim to detect and prevent this drift.
The primary levers you control with Aqua are its policies. These policies define what constitutes acceptable risk. You configure them to specify:
- Which vulnerabilities are critical enough to block deployment (e.g., block all High and Critical CVEs).
- What types of processes are allowed to run in which kinds of containers.
- Which file system paths should be monitored for changes.
- Disallowed image tags or registries.
- Minimum security configurations for Kubernetes resources.
The most surprising mechanical detail is how Aqua differentiates between a known change and drift. When an image is rebuilt, Aqua doesn’t just scan for CVEs; it compares the new image’s layers and package manifests against the previously scanned and approved version. If a nginx:1.21.0 image is scanned and approved, and then later a different nginx:1.21.0 image is scanned (e.g., due to a registry refresh or a new build pushing to the same tag), Aqua will flag it as a potential drift even if the CVE count is zero. It’s comparing the cryptographic hashes of the image layers. This ensures that you are always running the exact image you intended to run.
The next concept you’ll likely encounter is managing the lifecycle of these policies as your development practices evolve.