Container security in Security Center

Azure Security Center is the Azure-native solution for securing your containers.

Security Center can protect the following container resource types:

Resource type Protections offered by Security Center
Kubernetes service.
Kubernetes clusters
Continuous assessment of your clusters to provide visibility into misconfigurations and guidelines to help you mitigate identified threats. Learn more about environment hardening through security recommendations.

Threat protection for clusters and Linux nodes. Alerts for suspicious activities are provided by Azure Defender for Kubernetes. This Azure Defender plan defends your Kubernetes clusters whether they're hosted in Azure Kubernetes Service (AKS), on-premises, or on other cloud providers. clusters.
Learn more about run-time protection for Kubernetes nodes and clusters.
Container host.
Container hosts
(VMs running Docker)
Continuous assessment of your Docker environments to provide visibility into misconfigurations and guidelines to help you mitigate threats identified by the optional Azure Defender for servers.
Learn more about environment hardening through security recommendations.
Container registry.
Azure Container Registry (ACR) registries
Vulnerability assessment and management tools for the images in your Azure Resource Manager-based ACR registries with the optional Azure Defender for container registries.
Learn more about scanning your container images for vulnerabilities.

This article describes how you can use Security Center, together with the optional Azure Defender plans for container registries, severs, and Kubernetes, to improve, monitor, and maintain the security of your containers and their apps.

You'll learn how Security Center helps with these core aspects of container security:

The following screenshot shows the asset inventory page and the various container resource types protected by Security Center.

Container-related resources in Security Center's asset inventory page

Vulnerability management - scanning container images

To monitor images in your Azure Resource Manager-based Azure container registries, enable Azure Defender for container registries. Security Center scans any images pulled within the last 30 days, pushed to your registry, or imported. The integrated scanner is provided by the industry-leading vulnerability scanning vendor, Qualys.

When issues are found – by Qualys or Security Center – you'll get notified in the Azure Defender dashboard. For every vulnerability, Security Center provides actionable recommendations, along with a severity classification, and guidance for how to remediate the issue. For details of Security Center's recommendations for containers, see the reference list of recommendations.

Security Center filters and classifies findings from the scanner. When an image is healthy, Security Center marks it as such. Security Center generates security recommendations only for images that have issues to be resolved. By only notifying when there are problems, Security Center reduces the potential for unwanted informational alerts.

Environment hardening

Continuous monitoring of your Docker configuration

Azure Security Center identifies unmanaged containers hosted on IaaS Linux VMs, or other Linux machines running Docker containers. Security Center continuously assesses the configurations of these containers. It then compares them with the Center for Internet Security (CIS) Docker Benchmark.

Security Center includes the entire ruleset of the CIS Docker Benchmark and alerts you if your containers don't satisfy any of the controls. When it finds misconfigurations, Security Center generates security recommendations. Use Security Center's recommendations page to view recommendations and remediate issues. The CIS benchmark checks don't run on AKS-managed instances or Databricks-managed VMs.

For details of the relevant Security Center recommendations that might appear for this feature, see the compute section of the recommendations reference table.

When you're exploring the security issues of a VM, Security Center provides additional information about the containers on the machine. Such information includes the Docker version and the number of images running on the host.

To monitor unmanaged containers hosted on IaaS Linux VMs, enable the optional Azure Defender for servers.

Continuous monitoring of your Kubernetes clusters

Security Center works together with Azure Kubernetes Service (AKS), Microsoft's managed container orchestration service for developing, deploying, and managing containerized applications.

AKS provides security controls and visibility into the security posture of your clusters. Security Center uses these features to constantly monitor the configuration of your AKS clusters and generate security recommendations aligned with industry standards.

This is a high-level diagram of the interaction between Azure Security Center, Azure Kubernetes Service, and Azure Policy:

High-level architecture of the interaction between Azure Security Center, Azure Kubernetes Service, and Azure Policy

You can see that the items received and analyzed by Security Center include:

  • audit logs from the API server

  • raw security events from the Log Analytics agent

    Note

    We don't currently support installation of the Log Analytics agent on Azure Kubernetes Service clusters that are running on virtual machine scale sets.

  • cluster configuration information from the AKS cluster

  • workload configuration from Azure Policy (via the Azure Policy add-on for Kubernetes)

For details of the relevant Security Center recommendations that might appear for this feature, see the compute section of the recommendations reference table.

Workload protection best-practices using Kubernetes admission control

For a bundle of recommendations to protect the workloads of your Kubernetes containers, install the Azure Policy add-on for Kubernetes. You can also auto deploy this add-on as explained in Enable auto provisioning of the Log Analytics agent and extensions. When auto provisioning for the add-on is set to "on", the extension is enabled by default in all existing and future clusters (that meet the add-on installation requirements).

As explained in this Azure Policy for Kubernetes page, the add-on extends the open-source Gatekeeper v3 admission controller webhook for Open Policy Agent. Kubernetes admission controllers are plugins that enforce how your clusters are used. The add-on registers as a web hook to Kubernetes admission control and makes it possible to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.

With the add-on on your AKS cluster, every request to the Kubernetes API server will be monitored against the predefined set of best practices before being persisted to the cluster. You can then configure to enforce the best practices and mandate them for future workloads.

For example, you can mandate that privileged containers shouldn't be created, and any future requests to do so will be blocked.

Learn more in Protect your Kubernetes workloads.

Run-time protection for Kubernetes nodes and clusters

Azure Defender provides real-time threat protection for your containerized environments and generates alerts for suspicious activities. You can use this information to quickly remediate security issues and improve the security of your containers.

Azure Defender provides threat protection at different levels:

  • Host level (provided by Azure Defender for servers) - Using the same Log Analytics agent that Security Center uses on other VMs, Azure Defender monitors your Linux Kubernetes nodes for suspicious activities such as web shell detection and connection with known suspicious IP addresses. The agent also monitors for container-specific analytics such as privileged container creation, suspicious access to API servers, and Secure Shell (SSH) servers running inside a Docker container.

    If you choose not to install the agents on your hosts, you will only receive a subset of the threat protection benefits and security alerts. You'll still receive alerts related to network analysis and communications with malicious servers.

    Important

    We don't currently support installation of the Log Analytics agent on Azure Kubernetes Service clusters that are running on virtual machine scale sets.

    For a list of the host level alerts, see the Reference table of alerts.

  • Cluster level (provided by Azure Defender for Kubernetes) - At the cluster level, the threat protection is based on analyzing Kubernetes' audit logs. To enable this agentless monitoring, enable Azure Defender. If your cluster is on-premises or on another cloud provider, enable Arc enabled Kubernetes and the Azure Defender extension.

    To generate alerts at this level, Azure Defender monitors your clusters' logs. Examples of events at this level include exposed Kubernetes dashboards, creation of high privileged roles, and the creation of sensitive mounts.

    Note

    Azure Defender generates security alerts for actions and deployments that occur after you've enabled the Defender for Kubernetes plan on your subscription.

    For a list of the cluster level alerts, see the Reference table of alerts.

Also, our global team of security researchers constantly monitor the threat landscape. They add container-specific alerts and vulnerabilities as they're discovered.

Tip

You can simulate container alerts by following the instructions in this blog post.

Next steps

In this overview, you learned about the core elements of container security in Azure Security Center. For related material see: