Container security in Security Center

Azure Security Center is the Azure-native solution for securing your containers. Security Center can protect the following container resource types:

Resource Name Details
Container host Container hosts (virtual machines that are running Docker) Security Center scans your Docker configurations and gives you visibility into misconfigurations by providing a list of all failed rules that were assessed. Security Center provides guidelines to help you resolve these issues quickly and save time. Security Center continuously assesses the Docker configurations and provides you with their latest state.
Kubernetes service Azure Kubernetes Service (AKS) clusters Gain deeper visibility to your AKS nodes, cloud traffic, and security controls with Security Center's optional AKS bundle for standard tier users.
Container registry Azure Container Registry (ACR) registries Gain deeper visibility into the vulnerabilities of the images in your ARM-based ACR registries with Security Center's optional ACR bundle for standard tier users.

This article describes how you can use these bundles to improve, monitor, and maintain the security of your containers and their apps. You'll learn how Security Center helps with these core aspects of container security:

Azure Security Center's container security tab

For instructions on how to use these features, see Monitoring the security of your containers.

Vulnerability management - scanning container images

To monitor your ARM-based Azure Container Registry, ensure you're on Security Center's standard tier (see pricing). Then, enable the optional Container Registries bundle. When a new image is pushed, Security Center scans the image using a scanner from the industry-leading vulnerability scanning vendor, Qualys.

When issues are found – by Qualys or Security Center – you'll get notified in the Security Center dashboard. For every vulnerability, Security Center provides actionable recommendations, along with a severity classification, and guidance for how to remediate the issue. For details of Security Center's recommendations for containers, see the reference list of recommendations.

Security Center filters and classifies findings from the scanner. When an image is healthy, Security Center marks it as such. Security Center generates security recommendations only for images that have issues to be resolved. By only notifying when there are problems, Security Center reduces the potential for unwanted informational alerts.

Environment hardening

Continuous monitoring of your Docker configuration

Azure Security Center identifies unmanaged containers hosted on IaaS Linux VMs, or other Linux machines running Docker containers. Security Center continuously assesses the configurations of these containers. It then compares them with the Center for Internet Security (CIS) Docker Benchmark.

Security Center includes the entire ruleset of the CIS Docker Benchmark and alerts you if your containers don't satisfy any of the controls. When it finds misconfigurations, Security Center generates security recommendations. Use the recommendations page to view recommendations and remediate issues. You'll also see the recommendations on the Containers tab that displays all virtual machines deployed with Docker.

For details of the relevant Security Center recommendations that might appear for this feature, see the container section of the recommendations reference table.

When you're exploring the security issues of a VM, Security Center provides additional information about the containers on the machine. Such information includes the Docker version and the number of images running on the host.

Note

These CIS benchmark checks will not run on AKS-managed instances or Databricks-managed VMs.

Continuous monitoring of your Kubernetes clusters

Security Center works together with Azure Kubernetes Service (AKS), Microsoft's managed container orchestration service for developing, deploying, and managing containerized applications.

AKS provides security controls and visibility into the security posture of your clusters. Security Center uses these features to:

  • Constantly monitor the configuration of your AKS clusters
  • Generate security recommendations aligned with industry standards

For details of the relevant Security Center recommendations that might appear for this feature, see the container section of the recommendations reference table.

Run-time protection - Real-time threat detection

Security Center provides real-time threat protection for your containerized environments and generates alerts for suspicious activities. You can use this information to quickly remediate security issues and improve the security of your containers.

Security Center provides threat protection at different levels:

  • Host level - The Log Analytics agent monitors Linux for suspicious activities. The agent triggers alerts for suspicious activities originating from the node or a container running on it. Examples of such activities include web shell detection and connection with known suspicious IP addresses.

    For a deeper insight into the security of your containerized environment, the agent monitors container-specific analytics. It will trigger alerts for events such as privileged container creation, suspicious access to API servers, and Secure Shell (SSH) servers running inside a Docker container.

    Important

    If you choose not to install the agents on your hosts, you will only receive a subset of the threat protection benefits and security alerts. You'll still receive alerts related to network analysis and communications with malicious servers.

    For a list of the AKS host level alerts, see the Reference table of alerts.

  • At the AKS cluster level, the threat protection is based on analyzing Kubernetes' audit logs. To enable this agentless monitoring, add the Kubernetes option to your subscription from the Pricing & settings page (see pricing). To generate alerts at this level, Security Center monitors your AKS-managed services using the logs retrieved by AKS. Examples of events at this level include exposed Kubernetes dashboards, creation of high privileged roles, and the creation of sensitive mounts.

    Note

    Security Center generates security alerts for Azure Kubernetes Service actions and deployments occurring after the Kubernetes option is enabled on the subscription settings.

    For a list of the AKS cluster level alerts, see the Reference table of alerts.

Also, our global team of security researchers constantly monitor the threat landscape. They add container-specific alerts and vulnerabilities as they're discovered.

Tip

You can simulate container alerts by following the instructions in this blog post.

Next steps

In this overview, you learned about the core elements of container security in Azure Security Center. Continue to how to monitor the security of your containers.