Skip to content

Docker Swarm Join Token

Service Name: Docker Swarm

Service Description: Docker Swarm is Docker's native clustering and orchestration solution that turns a group of Docker hosts into a single virtual host, allowing containers to be deployed across multiple machines.

Service Address: https://docs.docker.com/engine/swarm/

Validation Type: -

IP Allow list: IP restrictions can be configured at the Docker daemon level using TLS certificates and firewall rules.

Secret Access Scope: Grants the ability to join a node to an existing Docker Swarm cluster as either a manager or worker node.

Secret Revokement URL: Does not exist (tokens can be rotated using dockerswarmjoin-token--rotate)

Secret Example: SWMTKN-1- 49nj1cmql0jkz5s954yi3oex3nedyz0fb0xx14ie39trti4wxv- 8vxv8rssmk743ojnwacrr2e7c

Suspicious Activity Investigation Instructions:

  • Check Docker Swarm manager nodes for unauthorized node joins
  • Review Docker logs for suspicious join attempts
  • Monitor network traffic to swarm management ports (2377/tcp)
  • Verify the list of nodes in the swarm using docker node ls command
  • Examine audit logs for unexpected container deployments across the swarm

Mitigation Instructions:

  • Rotate the compromised join token immediately using docker swarm join-token --rotate [worker|manager]
  • Remove any unauthorized nodes from the swarm using docker node rm [NODE_ID]
  • Implement proper network segmentation and firewall rules to restrict access to swarm ports
  • Configure TLS authentication for Docker daemon communications
  • Consider implementing additional authentication mechanisms like client certificates
  • Review and update Docker daemon configuration to enhance security
  • Implement regular token rotation as part of security practices