Container security in Security Center

Azure Security Center is the Azure-native solution for securing your containers.

Security Center can protect the following container resource types:

Resource type Protections offered by Security Center
Kubernetes service
Azure Kubernetes Service (AKS) clusters
- Continuous assessment of your AKS clusters' configurations to provide visibility into misconfigurations, and guidelines to help you resolve any discovered issues.
Learn more about environment hardening through security recommendations.

- Threat protection for AKS clusters and Linux nodes. Alerts for suspicious activities are provided by the optional Azure Defender for Kubernetes.
Learn more about run-time protection for AKS nodes and clusters.
Container host
Container hosts
(VMs running Docker)
- Continuous assessment of your Docker configurations to provide visibility into misconfigurations, and guidelines to help you resolve any discovered issues with the optional Azure Defender for servers.
Learn more about environment hardening through security recommendations.
Container registry
Azure Container Registry (ACR) registries
- Vulnerability assessment and management tools for the images in your Azure Resource Manager-based ACR registries with the optional Azure Defender for container registries.
Learn more about scanning your container images for vulnerabilities.

This article describes how you can use Security Center, together with the optional Azure Defender plans for container registries, severs, and Kubernetes, to improve, monitor, and maintain the security of your containers and their apps.

You'll learn how Security Center helps with these core aspects of container security:

The following screenshot shows the asset inventory page and the various container resource types protected by Security Center.

Container-related resources in Security Center's asset inventory page

Vulnerability management - scanning container images

To monitor images in your Azure Resource Manager-based Azure container registries, enable Azure Defender for container registries. Security Center scans any images pulled within the last 30 days, pushed to your registry, or imported. The integrated scanner is provided by the industry-leading vulnerability scanning vendor, Qualys.

When issues are found – by Qualys or Security Center – you'll get notified in the Azure Defender dashboard. For every vulnerability, Security Center provides actionable recommendations, along with a severity classification, and guidance for how to remediate the issue. For details of Security Center's recommendations for containers, see the reference list of recommendations.

Security Center filters and classifies findings from the scanner. When an image is healthy, Security Center marks it as such. Security Center generates security recommendations only for images that have issues to be resolved. By only notifying when there are problems, Security Center reduces the potential for unwanted informational alerts.

Environment hardening

Continuous monitoring of your Docker configuration

Azure Security Center identifies unmanaged containers hosted on IaaS Linux VMs, or other Linux machines running Docker containers. Security Center continuously assesses the configurations of these containers. It then compares them with the Center for Internet Security (CIS) Docker Benchmark.

Security Center includes the entire ruleset of the CIS Docker Benchmark and alerts you if your containers don't satisfy any of the controls. When it finds misconfigurations, Security Center generates security recommendations. Use Security Center's recommendations page to view recommendations and remediate issues. The CIS benchmark checks don't run on AKS-managed instances or Databricks-managed VMs.

For details of the relevant Security Center recommendations that might appear for this feature, see the compute section of the recommendations reference table.

When you're exploring the security issues of a VM, Security Center provides additional information about the containers on the machine. Such information includes the Docker version and the number of images running on the host.

To monitor unmanaged containers hosted on IaaS Linux VMs, enable the optional Azure Defender for servers.

Continuous monitoring of your Kubernetes clusters

Security Center works together with Azure Kubernetes Service (AKS), Microsoft's managed container orchestration service for developing, deploying, and managing containerized applications.

AKS provides security controls and visibility into the security posture of your clusters. Security Center uses these features to:

  • Constantly monitor the configuration of your AKS clusters
  • Generate security recommendations aligned with industry standards

For details of the relevant Security Center recommendations that might appear for this feature, see the compute section of the recommendations reference table.

Workload protection best-practices using Kubernetes admission control

For a bundle of recommendations to protect the workloads of your Kubernetes containers, install the Azure Policy add-on for Kubernetes. You can also auto deploy this add-on as explained in Enable auto provisioning of extensions. When auto provisioning for the add-on is set to "on", the extension is enabled by default in all existing and future clusters (that meet the add-on installation requirements).

As explained in this Azure Policy for Kubernetes page, the add-on extends the open-source Gatekeeper v3 admission controller webhook for Open Policy Agent. Kubernetes admission controllers are plugins that enforce how your clusters are used. The add-on registers as a web hook to Kubernetes admission control and makes it possible to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.

With the add-on on your AKS cluster, every request to the Kubernetes API server will be monitored against the predefined set of best practices before being persisted to the cluster. You can then configure to enforce the best practices and mandate them for future workloads.

For example, you can mandate that privileged containers shouldn't be created, and any future requests to do so will be blocked.

Learn more in Protect your Kubernetes workloads.

Run-time protection for AKS nodes and clusters

Security Center provides real-time threat protection for your containerized environments and generates alerts for suspicious activities. You can use this information to quickly remediate security issues and improve the security of your containers.

Security Center provides threat protection at different levels:

  • Host level (provided by Azure Defender for servers) - Using the same Log Analytics agent that Security Center uses on other VMs, Azure Defender monitors your Linux AKS nodes for suspicious activities such as web shell detection and connection with known suspicious IP addresses. The agent also monitors for container-specific analytics such as privileged container creation, suspicious access to API servers, and Secure Shell (SSH) servers running inside a Docker container.

    Important

    If you choose not to install the agents on your hosts, you will only receive a subset of the threat protection benefits and security alerts. You'll still receive alerts related to network analysis and communications with malicious servers.

    For a list of the AKS host level alerts, see the Reference table of alerts.

  • AKS cluster level (provided by Azure Defender for Kubernetes) - At the cluster level, the threat protection is based on analyzing Kubernetes' audit logs. To enable this agentless monitoring, enable Azure Defender. To generate alerts at this level, Security Center monitors your AKS-managed services using the logs retrieved by AKS. Examples of events at this level include exposed Kubernetes dashboards, creation of high privileged roles, and the creation of sensitive mounts.

    Note

    Security Center generates security alerts for Azure Kubernetes Service actions and deployments occurring after the Kubernetes option is enabled on the subscription settings.

    For a list of the AKS cluster level alerts, see the Reference table of alerts.

Also, our global team of security researchers constantly monitor the threat landscape. They add container-specific alerts and vulnerabilities as they're discovered.

Tip

You can simulate container alerts by following the instructions in this blog post.

Next steps

In this overview, you learned about the core elements of container security in Azure Security Center. For related material see: