AWS has added a new container lens to its Well-Architected Framework. This new technical paper outlines best practices sourced from the community, AWS partners, and AWS's internal container technology specialists. These best practices provide guidance for running high-performance, reliable, and secure container workloads. The paper also includes reference architectures for a few common use cases.
The AWS Well-Architected Framework is built around six pillars: operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability. It provides specific information to help AWS users build according to AWS best practices. The new container lens joins other domain-specific lenses such as IoT, serverless, AI, ML, and SAP.
The operational excellence pillar focuses on running and monitoring systems to deliver business value and provide insights to drive continuous improvement. Specifically to the container lens, this focuses on container lifecycle management and observability. For example, under the prepare step, the recommendations include ensuring you understand what comprises your container's base image. This aligns with the recent focus on supply chain security and a better understanding of the components that are used in building out applications.
Other recommendations in this pillar include setting up a parent or baked image that is used to then create all downstream images. This approach provides greater control and governance around what goes into the base image. Once that downstream image is built, they recommend that it be used for all environments. It should be promoted through environments as it passes validation at each stage.
Within the security pillar, the recommendations include focusing on the least privilege for container applications, implementing access controls for all build infrastructure, and minimizing the attack surface of images. They recommend running a distroless image without a shell or package manager to prevent bad actors from easily making changes to the image. Recently, Google announced that their distroless builds now meet the Supply chain Levels for Software Artifacts (SLSA) level 2. Similarly, Chainguard released a technical preview of their undistro Wolfi, designed to have a minimal surface area.
Recommendations within the performance efficiency pillar focus on the build-time performance of containers. They note that runtime performance is outside the scope of the container lens and is instead covered by the Performance Efficiency Pillar technical paper.
The reliability pillar focuses on monitoring the health of the application, automation for building and testing images, and automating updates to parent container images. Building on the recommendation to have a base parent image, this pillar recommends using a layered approach to container image management. This should start with the generic, shared base image. From there the application-specific pieces can be installed. The final layer is to install the binaries needed for the application.
They further recommend that these images all be maintained within source control and tagged. In particular, they recommend using a "contentious integration process to create a direct correlation between the container's images in source control and the image tag". According to the paper, this approach will allow for determining what changed between image releases.
The cost optimization pillar focuses on designing images for efficiency, auto-scaling, and quick launch times. These three recommendations will help to reduce the number of containers required as well as how long they need to be running. The sustainability pillar shares similar recommendations to the cost optimizations pillar.
Finally, the paper provides a number of reference architectures for solving common use cases such as securing a containerized build pipeline. They note that this architecture should be implemented with the additional relevant security practices associated with running any type of pipeline.
The container lens is available now within the Well-Architected Framework documentation. Parts of the Well-Architected Framework are available within the Well-Architected Tool, however, the container lens is only available as a technical paper.