Advanced Workload Protection for AWS Services on Graviton2

Advanced Workload Protection for AWS Services on Graviton2

Moving at the pace of innovation in cloud native infrastructure, Aqua is announcing container security support for the AWS Fargate serverless service now running on Amazon Graviton2 processors. The support for Fargate on Graviton2 container protection, security, and compliance builds on our existing workload protection for Amazon EC2 VMs on Graviton2.

Now Aqua customers can take advantage of the better performance and cost-effectiveness delivered by Graviton2 architecture for Fargate, while ensuring unified, consistent security with purpose-built workload monitoring, visibility and protection.

What is AWS Graviton2?

In the end of 2019, Amazon Web Services announced the introduction of AWS Graviton2 processors to power a portion of its cloud infrastructure. For Amazon’s largest customers, this means lower costs and better performance. “If you run in the same benchmark on the Graviton2 and the latest Intel processor, Graviton2 is about 20% faster. It is also about 20% cheaper. As a result, you get about a 40% price-performance improvement,” David Brown, Vice President of AMAZON EC2 said. These benefits will be possible as Graviton2 is used to power multiple services, such as Amazon RDS and Amazon EKS for containers.

Following on the initial announcement at re:Invent in 2019, AWS has launched versions of Graviton2 instances optimized for both compute-intensive and memory-optimized operations, such as transactional analytics or IoT diagnostics.

We believe that Graviton 2 is a sign of more to come in the evolution of cloud infrastructure, as customers demand more for cloud native workloads.

How Aqua protects workloads running on Graviton2

The cloud native ecosystem must take note in order to ensure compatibility with the new wave of cloud infrastructure. There is a fundamental difference in communication with a reduced instruction set at the assembly language level for processors built using the 64-bit architecture designed by ARM. The reduced instruction set chip (RISC) is what frees up CPU, making the lower costs and higher performance possible. The cloud native products at the workload level must also be able to work with the reduced instruction set.

ARM’s chip design adds another layer of security using features like always-on encryption, but customers are still responsible for securing the applications, communications between services, workloads and resources, as well as the workloads themselves.

Aqua's runtime controls look deep into the processes that containers run, and assess them against policies that prevent drift against the original container image, that allow or deny specific executables, network connections, files and resources, and that create a behavioral profile for the container's allowed activities.

In tandem with the launch of AWS Fargate powered by Graviton2 processors, Aqua’s MicroEnforcer has been validated for 64-bit Graviton2 processors.

Securely Optimizing Containerization with AWS Graviton2, Arm, & Aqua Security

Aqua’s MicroEnforcer, designed for lightweight container deployments on AWS Fargate, ensures that unregistered images can be blocked from running and unauthorized changes to containers at runtime are prevented. The validation of our MicroEnforcer for Fargate powered by Graviton2 processors extends on our existing VM Enforcer support for securing Amazon EC2 VMs powered by Graviton2 processors.

Aqua’s VM Enforcer and MicroEnforcer operates at the workload level, providing visibility and automated protection against unauthorized activity at scale, to help customers:

  • Automatically apply existing runtime, network segmentation policies to workloads powered by Graviton2 workloads via Aqua Enforcers 
  • Ensure logging and auditing of enforcement actions
  • Monitor for unauthorized changes and enforce assurance policies

Conclusion

Aqua’s validated support for AWS Fargate powered by Graviton2 processors allows customers to expand their cloud footprint for price-performance sensitive workloads while enjoying the same level of protection they've been getting for their Intel X86 architecture-based workloads. As AWS expands the range of services that are powered by Graviton2 processors, Aqua plans to move in lockstep to ensure that customers can securely take advantage of the price-performance benefits.

Securing Workloads on Innovative Cloud Native Architectures

Story Tweedie-Yates

Story is the VP of Product Marketing at Aqua Security, where she is passionate about helping to define the future of cloud native security. In her time off, you will find her scooting her twins around Montreal’s parks or exploring underwater treasures with a scuba mask alongside her husband.