Amazon EKS - security best practices - 2022

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Community Builders
Amazon EKS – Security best practices
Jeff Lombardo
Sr. Solution Architect, Security Specialist
February 2022

Jeff Lombardo
Senior Solution Architect / Security Specialist at AWS
17 years of expertise in Identity and Access Management,
Application Security, and Data Protection
Joined AWS in September 2020
My Moto: Give me a redirect URI and I will SSO the world

Is EKS different
from K8s?
Who is responsible
of the security?
How the service
evolved?
Agenda
Amazon EKS in a
nutshell
Security best
practices on EKS
Are they different?
Are they specific?
What are the
advantages?
Demo
How can I secure
my Company Socks
Shop?
Starting to build
with Amazon EKS
Multiple resources
to help you learn
more

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 4
Amazon EKS in a nutshell

Amazon EKS Tenets
It is Kubernetes Upstream Service
integrations
Production
workloads

Choose your own adventure
ECS EKS
EC2 Fargate EC2 Fargate
Anywhere Anywhere

Shared responsibility model for EKS

Amazon EKS story
2017 2018 2019 2020 2021
Theme: control plane
Theme: data plane
Theme: cluster ops

Amazon EKS highlight launches over the last year
Storage and networking
• Amazon EBS CSI driver
• Amazon EFS CSI driver w/ dynamic provisioning
• Amazon VPC CNI increased pod density
• Pod-level security group
• AWS load Balancer controller
• Multus CNI support
Tooling
• AWS CDK for K8s
• AWS Controllers for Kubernetes
• Amazon EKS add-ons
• Hosted Kubernetes console
• Remote Cluster Connector
• eksctl instance selector
Nodes
• Managed node groups custom launch templates
• Karpenter node provisioning
• P4d/Elastic Fabric adapter support
• Parallel node group upgrades
• Containerd support
• Amazon EKS/AWS Fargate built-in logging
Region/version expansion
• Osaka region
• AWS Fargate region expansion – Frankfurt, Oregon,
Singapore, Sydney, Cape Town, Osaka, and Milan
• Support for Kubernetes version 1.19, 1.20, 1.21
Environment expansion
• Amazon EKS Distro
• Amazon EKS Anywhere

• AWS Certificate Manager
(ACM) Private Certificate
Authority
• AWS Secrets Manager CSI
driver
• ECR signed image
validation
• IAM roles for Service
Account v2
Amazon EKS recent launches – Security Pillar
Protection mechanisms EKS improvements
• IAM Cluster API
management
• External OIDC
authentication
• EKS API PrivateLink
• Secrets encryption with
AWS KMS
• VPC CNI network policy
Compliance
• FedRAMP Moderate, High
• DoD CC SRG
10

Amazon EKS just-shipped features
https://github.com/aws-controllers-k8s/community
https://isovalent.com/blog/post/2021-09-aws-eks-
anywhere-chooses-cilium
https://aws.amazon.com/about-aws/whats-new/2022/01/amazon-
guardduty-elastic-kubernetes-service-clusters/

EKS Anywhere Enterprise Support
Ubuntu Bottlerocket Cilium Flux
All bundled components in EKS-Anywhere will have integrated support through AWS.

What is coming up for EKS?
Assessing compliance for EKS CIS standards into standard AWS
security services
Having an overall view of infrastructure configuration from a security perspective in a single place
is valuable. kube-bench scores compliance of EKS configuration against the EKS CIS standard.
However, running the EKS benchmark against EKS deployments is manual and not available
through an AWS managed component. It would be great if CIS EKS could be executed and
findings/results reflected back into security monitoring services—Security Hub provides a great
place to aggregate findings from various systems in a single service.
Changing security group of EKS master without replacing the
cluster
Changing the security group on the EKS master to match new requirements or threats is valuable.
Unfortunately, there seems to be no way of doing this without deleting the cluster whatever
through CloudFormation or the console.
• Not exhaustive EKS list
• Also include ECS items
https://github.com/aws/containers-roadmap/

Security best practices on EKS

Protect Detect Respond
Automate
Investigate
Recover
Identify
AWS
Systems
Manager
AWS
Config
AWS
Lambda
Amazon
CloudWatch
Amazon
Inspector
Amazon
Macie
Amazon
GuardDuty
AWS
Security Hub
KMS
IAM
AWS
Single
Sign-On
Snapshot Archive
AWS
CloudTrail
Amazon
CloudWatch
Amazon
VPC
AWS
WAF
AWS
Shield
AWS Secrets
Manager
AWS
Firewall
Manager
AWS
Organizations
Personal
Health
Dashboard
Amazon
Route 53
AWS
Direct
Connect
AWS Transit
Gateway
Amazon VPC
PrivateLink
AWS Step
Functions
Amazon
Cloud
Directory
AWS
CloudHSM
AWS
Certificate
Manager
AWS Control
Tower
AWS Service
Catalog
AWS Well-
Architected
Tool
AWS
Trusted
Advisor
Resource
Access
manager
AWS
Directory
Service
Amazon
Cognito
Amazon S3
Glacier
AWS
Security Hub
AWS Systems
Manager
AWS CloudFormation
AWS
OpsWorks
Amazon
Detective
AWS
Network
Firewall
Security strategy at AWS
AWS Backup

AWS Systems
Manager
AWS Config
Amazon
CloudWatch
Amazon
Inspector
Amazon
GuardDuty
KMS
IAM
Snapshot
AWS
CloudTrail
Amazon
CloudWatch
Amazon
VPC
AWS
WAF
AWS Shield AWS Secrets
Manager
AWS
Firewall
Manager
AWS Transit
Gateway
Amazon VPC
PrivateLink
AWS
Certificate
Manager
AWS
Security Hub
AWS Systems
Manager
AWS
Network
Firewall
Linux
capabilities
Pod Security
Standards
Policy as
code
Pod Security
Admission
AWS
App Mesh
CNI
Network
Policy
Amazon
Elastic Block Store
Amazon Elastic
File System
AWS Backup
Amazon FSx
for Lustre
CSI
EKS integrated AWS service
Container function support
AWS Artifact
Security strategy at AWS with EKS
Protect Detect Respond
Automate
Investigate
Recover
Identify

One place to go
17
https://aws.github.io/aws-eks-best-practices/security/docs/
And more, with guidance on Cluster Autoscaling, Reliability, and Windows Containers

More granularity on Identity Management
18
EC2 Instance
Business
Logic
#1
Business
Logic
#2
IMDSv2
endpoint
Amazon S3
bucket
Amazon RDS
Role

More granularity on Identity Management
19
EC2 Instance
Business
Logic
#1
Business
Logic
#2
IMDSv2
endpoint
Amazon S3
bucket
Amazon RDS
EC2 Instance Role
EC2 Instance
(worker node)
IMDSv2
endpoint
EC2
Instance
Role
Amazon Elastic
Container Registry
Amazon S3
bucket
Amazon RDS
Service Account
Role
Service Account
Role
Business
Logic
#1
Business
Logic
#2

Public subnet
Private subnet
More granularity on Network Protection
20
EC2 Instance
Security group
EC2 Instance
Security group
Business
Logic
#1
Business
Logic
#2
VPC
Network ACL

Public subnet
Private subnet
More granularity on Network Protection
21
EC2 Instance
Security group
EC2 Instance
Security group
Business
Logic
#1
Business
Logic
#2
VPC
Network ACL
EC2 Instance
(worker node)
Business
Logic
#1
Business
Logic
#2
Security group
Security group
Public subnet
Private subnet
Network ACL
VPC ENI ENI
Network Policy

Demo

Public subnet
Demo context
23
Application
load balancer
EC2 Instance
(worker nodes)
Network ACL
VPC
Internet gateway
AWS Cloud
Amazon RDS
(Product catalog)
User
Security group
Front-
end
Order
Shipping Queue Client
Order
db
Payment User
User
db
Cart
Cart
db
Catalogue
https://github.com/microservices-demo

Objectives
24
Change CNI to Calico
Implement
Calico Network Policy
Trigger GuardDuty
events

All pods communicate with all pods
>kubectl exec --stdin --tty user-6b45cf8b6d-djjg2 -n shop – sh
/ $ telnet payment 80
POST /paymentAuth HTTP/1.1
Host: payment
Content-Type: application/json; charset=utf-8
Content-Length: 36
{"Amount":100,"Account":12321425478}
HTTP/1.1 200 OK
Date: Tue, 08 Feb 2022 21:59:04 GMT
Content-Length: 51
{"authorised":true,"message":"Payment authorised"}
Our USER pod
dedicated to authentication
can send payment requests
to the PAYMENT pod

Enforce Calico Network Policies on Payment pod
>kubectl calico apply -f default-deny.yaml -n octank --
config=calico.cfg.yaml --allow-version-mismatch
> kubectl calico apply -f allow-network-policies.yaml --
config=calico.cfg.yaml --allow-version-mismatch
Security Groups for Pods vs K8s Network Policy
vs Calico Network Policy
What are the differences?
1. Deny all traffic
2. Then allow specific traffic
3. Be mindful statelessness

Check the control
>kubectl exec --stdin --tty user-6b45cf8b6d-djjg2 -n shop – sh
/ $ telnet payment 80
POST /paymentAuth HTTP/1.1
Host: payment
Content-Length: 36
{"Amount":100,"Account":12321425478}
HTTP/1.1 200 OK
Date: Tue, 08 Feb 2022 21:59:04 GMT
Content-Length: 51
Time out….
You can now prevent lateral movement

How to learn more

Other security news for Amazon EKS
https://aws.amazon.com/about-aws/whats-
new/2022/01/acm-kubernetes-cert-manager-plugin-
production/
https://aws.amazon.com/about-aws/whats-
new/2021/12/eks-add-ons-ebs-csi-driver/

Re:Invent 2021 recap
30
https://www.youtube.com/watch?v=Q3Uj1rsmFLw https://www.youtube.com/watch?v=V8DidcYmNmU

EKS workshops https://www.eksworkshop.com/
31
Beginner
• AWS IAM groups for
cluster Access
• AWS IAM roles for Services
Accounts
• Security groups for pods
• Network Policies
• Secure Secrets
management
Intermediate
• CI/CD pipeline
• Logging with Amazon
OpenSearch
• Open Policy Agent
• AWS App Mesh
Advanced
• Service mesh with Istio
• Machine Learning with
Kubeflow
• Machine learning with
Amazon EMR

Thank you!
32
Please, don’t forget to fill
the survey for this session:
<your link>

Amazon EKS - security best practices - 2022

More Related Content

What's hot

Similar to Amazon EKS - security best practices - 2022

More from Jean-François LOMBARDO

Recently uploaded

In this document

Amazon EKS - security best practices - 2022