Secure Container Data Storage with ECS and EFS
by Conor Colgan
Technical Product Manager, AWS
In 2017, ClearDATA launched the first Containers-as-a-Service offering specifically aimed at enabling healthcare IT and DevOps organizations to take advantage of microservice architecture, while ensuring compliance. As we said then, "The ongoing security maintenance of applications, whether in testing or production mode, is a frequent burden to healthcare organizations and digital health companies, especially when protected health information is at stake. To assist these companies, ClearDATA, an AWS Healthcare Competency and Public Sector Partner, works with Amazon ECS to provide a secure container management resource that offers an isolated, HIPAA-compliant environment for building, testing and running individual applications." Today I am excited to announce new features for that solution.
Container Health Checks
Earlier this year Amazon announced support for native Docker health checks, allowing ECS to monitor and respond to health checks rather than a load balancer. These health checks can be enabled as part of the task definition in the console
Or the command line
Docker performs does localhost calls and adjusts the availability status of the container based on that availability. It's configurable in the ECS task definition directly. ECS knows the "intent" of a container status and it just looks like ECS is keeping the status as "starting". If it's trying to start up it'll just leave it out of the pool until the health check passes. ClearDATA customers are already taking advantage of these health checks in our PHI Containers platform and are seeing the native Docker behavior as expected. For more information on how to configure health checks, see the AWS ECS Documentation - HealthCheck command.
Local File System Support with Automated Safeguards for Amazon EFS
Docker Containers are ideal for application development because they create the entire runtime environment (code, runtime, system tools, system libraries) in one binary artifact, so the differences between environments are negligible. This guarantees that software runs consistently, regardless of the environment in which it is deployed. These containers are typically ephemeral and stateless, so they can be moved or terminated at any time. Containers typically do not store any data locally, rather they use other services like S3 or a database, to store any data that requires a home. Containers can mount a storage volume that is present on the compute host, but that presents other challenges. Containers can be restarted on any compute node in the cluster, so that storage volume will no longer be available. A network attached storage solution such as Amazon Elastic File System (EFS) can help solve that problem.
Amazon EFS is a durable shared file system that allows multiple EC2 hosts to connect to the same volume. EFS is also elastic, meaning there is no need to expand or shrink the volume as it's used. You simply pay for the exact amount of data that is stored on the volume. Finally, data management is simplified because there is only a single data volume. ClearDATA's Automated Safeguards for ECS now support securely mounting ClearDATA-safeguarded EFS volumes, enabling organizations to created containers that can consume data located on local storage without reconfiguring the application to hook into a different storage system. It also allows ECS containers to share a file system with EC2 servers, allowing for easy integration of software running across multiple services.
ClearDATA's Automated Safeguard for EFS ensures that any EFS File System is provisioned with encryption at rest enabled.
In the event a File System is deployed without the encryption flag, the Automated Safeguard will remove the File System in a matter of minutes, as the encryption setting cannot be changed after a File System is created.
Customers can receive alerts for a non-compliant volume, making users aware of any volumes created without encryption.
ClearDATA's combination of the PHI Containers platform and the Automated Safeguards for EFS ensures that all volumes provisioned for use with containers will be encrypted at rest. Furthermore, ClearDATA has configured the EFS mounts from the cluster nodes to connect to EFS via an encrypted channel thereby ensuring encryption at motion as well. Customers can access EFS mounts from our PHI Containers platform and know that the PHI data is always encrypted at rest and in motion without investing time in monitoring the compliance of the EFS storage.
ClearDATA's addition of EFS support for our AWS offering allows customers to mount data without worrying about container restarts or cluster node placement. Each instance maintains a connection to the EFS file share, and the important data. All storage is encrypted at rest, and all connections to the EFS file share are encryption in motion. This removes the burden from configuring encrypted connection at the application layer, allowing customers to focus on their application and not the underlying infrastructure.