Elevating Security: Qualys Unveils First Solution for Scanning AWS Bottlerocket in Amazon EKS and Amazon ECS

With this new offering, Qualys establishes itself as the first and only vendor solution with the unique ability to scan AWS Bottlerocket instances directly using the Qualys Cloud Agent and TotalCloud Agent-less Snapshot-Based Scan. This innovative capability empowers organizations to comprehensively manage and mitigate risks at both the host OS and container levels. In this article, we delve into the distinct security challenges associated with Bottlerocket in Amazon Elastic Kubernetes Service (Amazon EKS) and Amazon Elastic Container Service (Amazon ECS) and explore how Qualys, through its full-stack security approach, provides unparalleled visibility, actionable intelligence, and security auditing to safeguard containerized applications in the cloud.

Security Challenges

Traditionally, achieving vulnerability detection and threat management for containerized applications has been challenging due to the lack of comprehensive detection and assessment of threats at both the container and host levels. Security challenges faced by container deployments include:

1. Lack of Asset Visibility
   • Inventory is crucial for securing assets, and this holds true for Bottlerocket. Without a consolidated inventory, including details like installed packages, open ports, users, and hardware, securing the unknown becomes nearly impossible.
2. No Actionable Intelligence
   • AWS provides detailed security advisories for Amazon EKS and Amazon ECS, but determining the impact and automating actionable results without the right tools is a significant challenge.
3. Need for Security Auditing
   • Heavily regulated industries demand strict adherence to inventory management, patch verification, and security coverage. Achieving this without repeatable inventory management, vulnerability management, and reporting processes is a significant hurdle.

How Qualys Solves These Challenges

Qualys addresses these security challenges with its comprehensive approach:

Qualys Cloud Agent (Host Scanning)
Qualys Container Security (Container Scanning)
Qualys TotalCloud CSPM (Cloud Security Posture Management)
Qualys TotalCloud FlexScan (Snapshot-Based Scan)

Securing Bottlerocket in Amazon EKS and Amazon ECS poses unique challenges, and Qualys provides a robust solution through its comprehensive approach to address these security concerns. The Qualys Cloud Agent plays a pivotal role in enhancing security by conducting thorough host scanning, ensuring that vulnerabilities on the Bottlerocket instances are identified and remediated promptly. Furthermore, Qualys Container Security scans container workloads, enabling organizations to detect and resolve security issues within their containerized environments. The Qualys TotalCloud CSPM (Cloud Security Posture Management) provides a holistic view of the AWS environment, allowing organizations to enforce security policies, identify misconfigurations, and ensure compliance with industry standards. Qualys TotalCloud FlexScan offers a proactive approach to security by identifying vulnerabilities in the Bottlerocket instances before they become potential threats with its snapshot-based scanning capability. Together, these Qualys solutions create a robust security framework, securing Bottlerocket deployments in Amazon EKS and Amazon ECS and providing organizations with the confidence to operate securely in the cloud.

Qualys Cloud Agent (Host Scanning)

Recognizing the distinctive characteristics of Bottlerocket and the challenges it presents for traditional scanning methodologies, Qualys has engineered a specialized agent that seamlessly integrates with the containerized nature of Bottlerocket instances. Leveraging containerization principles, the Qualys Cloud Agent for Bottlerocket ensures a lightweight, non-intrusive, and easily deployable scanning mechanism, aligning with Bottlerocket’s immutable infrastructure model. This development represents a strategic move by Qualys to accommodate the evolving landscape of container orchestration, offering organizations a purpose-built tool to enhance security visibility and risk management in their Bottlerocket environments. The agility and adaptability of this new Qualys Cloud Agent underscore Qualys’ commitment to providing cutting-edge solutions that address the unique demands of modern cloud-native architectures.

Key Features:

• Unparalleled Visibility
  • Leverage Qualys Global AssetView to gain a single view of all your Amazon EKS and Amazon ECS clusters, including masters, workers, and infrastructure nodes. Upgrade to CyberSecurity Asset Management (CSAM) for enriched details about each node’s hardware configuration, installed packages, open ports, and cloud provider metadata.
  • Deploy Qualys Cloud Agent on your assets running Bottlerocket in Amazon EKS and Amazon ECS. As the Qualys Cloud Agent runs as a container, installation is seamless, requiring no host modifications, port openings, or credential management.
• Actionable Intelligence
  • Benefit from Qualys’ automated detection development, assessing your Bottlerocket environment for vulnerabilities using AWS security advisories. Qualys ensures rapid identification of new and critical vulnerabilities, providing remediation teams with specific details on vulnerable packages and required upgrades. Qualys also offers impact and CVE details for prioritization and reporting.
• Security Auditing
  • Leverage Qualys support for Bottlerocket in Amazon EKS and Amazon ECS to generate reports for security auditors. Demonstrate your full inventory of clusters, verify the version, and document security coverage using the power of the Qualys Cloud Platform.

• Coverage for Policy Compliance using CIS Benchmarks
  • Qualys extends its capabilities to include coverage for Policy Compliance using the CIS Benchmarks. Ensure that your Bottlerocket deployments adhere to industry-standard security benchmarks, enhancing your containerized applications’ overall compliance and security posture.

Qualys TotalCloud CSPM (Cloud Security Posture Management)

Enhance your security posture with the TotalCloud CSMP (Cloud Security Posture Management) integration. TotalCloud provides a holistic view of your cloud infrastructure, ensuring compliance and security best practices—Leverage TotalCloud’s capabilities for continuous monitoring, policy enforcement, and threat detection across your AWS environment.

Key Features:

• Comprehensive Cloud Visibility: Gain insights into your AWS environment, including Bottlerocket instances, for effective security management.
• Automated Compliance Checks: Ensure adherence to security best practices and compliance standards with automated checks and policy enforcement.
• Eliminate Misconfigurations: Resolve configuration issues seamlessly using either 1-Click options or automated custom workflows, ensuring a streamlined and efficient process.

 Qualys TotalCloud FlexScan (Snapshot-Based Scan)

What Is Snapshot Scanning?

Snapshot scanning involves the use of scanners that capture images of workloads, known as snapshots, from a cloud services provider’s (CSP) runtime block storage and subsequently scans them. Runtime block storage is where CSPs store updated images of cloud workloads and resources. This scanning method is indirect, focusing on examining block storage rather than directly inspecting workloads using agents.

Key Features

1. Cloud-Native Onboarding
   • Snapshot scanning offers a fast and easy setup for onboarding a company’s cloud workloads, making it ideal for scenarios requiring a quick assessment of cloud environments.
2. Inspection of Paused or Suspended Workloads
   • Snapshot scanners uniquely possess the capability to inspect images of paused or suspended workloads. This feature is advantageous in specific use cases, although it’s essential to consider potential asset-counting implications.
3. Real-time vulnerability assessment
   • Cloud workloads are scanned in real time immediately upon deployment, providing instant visibility into the inventory of cloud workloads within Qualys. This ensures prompt identification of vulnerabilities present on these workloads.

Qualys Container Security

Secure your containerized applications with Qualys Container Security. This solution discovers, monitors, and continuously secures containers from build phase to runtime phase. Key features include:

• Vulnerability Management: Implement comprehensive vulnerability management, detection, and response across the container lifecycle.
• Malware Detection: Qualys, powered by Deep Learning AI, detects known and unknown malware files within containers.
• Actionable Insights: Qualys provides actionable intelligence, helping remediation teams prioritize vulnerabilities by specifying vulnerable packages and required upgrades.
• Extensive Vulnerability Coverage: Qualys delivers extensive coverage of container-related security advisories, ensuring that your containerized applications are protected against known threats.

About Bottlerocket in Amazon EKS and Amazon ECS

Amazon Elastic Kubernetes Service (Amazon EKS) and Amazon Elastic Container Service (Amazon ECS) are certified Kubernetes distributions and supported container platforms with built-in enterprise security. They empower enterprises to build, deploy, run, and manage intelligent applications securely at scale in a hybrid cloud environment. Security is prioritized throughout the stack, following a defense-in-depth approach.

Bottlerocket: Optimized Security for Containerized Workloads

Bottlerocket is a purpose-built, open-source operating system designed by Amazon Web Services (AWS) specifically for hosting containerized applications. Tailored to enhance security and efficiency in container orchestration platforms, Bottlerocket aims to provide a streamlined, immutable, and container-optimized environment for Amazon Elastic Kubernetes Service (Amazon EKS) and Amazon Elastic Container Service (Amazon ECS).

Key Features:

1. Immutable Nature: Bottlerocket follows an immutable model, ensuring that the operating system always boots into a known and secure state. This approach aligns with containerized deployment methodologies, promoting consistency and predictability.
2. Transactional Updates: Bottlerocket supports atomic, transactional updates, allowing for seamless rollbacks in case of issues during updates. This feature enhances the reliability of the system while simplifying maintenance tasks.
3. Container Optimization: The operating system is purpose-built for container workloads, minimizing its footprint and focusing on providing essential functionalities for running containers efficiently.
4. Security Enhancements: Bottlerocket incorporates security features such as SELinux, Linux namespaces, CGroups, Capabilities, and Read-Only Mounts to bolster the security posture of containerized applications.

Why Bottlerocket?

• Scalability: Bottlerocket is designed to scale seamlessly with containerized environments, making it an ideal choice for applications deployed on Amazon EKS and Amazon ECS.
• Ease of Management: With its containerized design, Bottlerocket simplifies the management of container hosts, allowing for easy installation, updates, and maintenance.
• Collaboration with Qualys: As part of the collaboration between AWS and Qualys, Bottlerocket users can leverage Qualys’ advanced security solutions to further enhance the security of their containerized workloads.

In conclusion, the integration of Qualys security solutions with Bottlerocket offers a comprehensive and effective strategy for fortifying containerized environments in Amazon EKS and Amazon ECS. The combination of Qualys Cloud Agent, Container Security, TotalCloud CSPM, and TotalCloud FlexScan ensures a thorough and proactive approach to identifying and mitigating security risks. With this new offering, Qualys is now the first and only vendor solution with the ability to scan Bottlerocket using Qualys Cloud Agent, adding an unprecedented layer of visibility and control. By leveraging these cutting-edge tools, organizations can confidently deploy and manage containerized applications on Bottlerocket, benefitting from a secure, efficient, and purpose-built foundation. This collaborative approach not only enhances the security posture of the container orchestration environment but also contributes to the overall reliability and resilience of applications hosted on AWS. As organizations increasingly embrace containerization, the Qualys and Bottlerocket partnership serves as a key enabler in creating a robust and trustworthy ecosystem for modern application deployment and management.

Learn More and Get Started

Log in to your Qualys subscription today to download the Cloud Agent binary, and refer to the installation guide for step-by-step instructions. Learn more about getting started with zero-touch snapshot-based scanning.

Frequently Asked Questions (FAQs)

What are the support specifications for this release?

Operation System:	Bottlerocket
Qualys Apps Supported:	Vulnerability Management Policy Compliance TotalCloud
Generally Available Date:	Generally Available
Qualys Cloud Platform Version:	Cloud Platform 3.17
Cloud Agent Version:	5.x
TotalCloud CSPM:	Generally Available
TotalCloud CWP/FlexScan:	Generally Available

What are all the solutions outlined?

Qualys Cloud Agent
Qualys Container Security
Qualys TotalCloud CSPM (Cloud Security Posture Management)
Qualys TotalCloud CWP/FlexScan

Which Bottlerocket architecture is supported?

We support x86 at this release.

Contributors

• Kyle Davis, Senior Developer Advocate – Bottlerocket OS, Amazon Web Services
• Shrikant Dhanawade, Director, Product Management, Cloud Security, Qualys
• Prachi Jain, Technical Trainer, Qualys