AR
Uploaded byAnkit Rao
PPTX, PDF141 views

Demystifying Kubernetes Security using AWS EKS

The document presents a comprehensive overview of Kubernetes security using AWS Elastic Kubernetes Service (EKS), highlighting the shared responsibility model for cloud security. Key aspects include securing the network, control plane, and worker nodes through secure configurations and integrations with tools like AWS Inspector and AWS Security Hub. It also emphasizes the importance of logging and monitoring to maintain security across EKS environments.

Embed presentation

Download to read offline
Demystifying Kubernetes Security using AWS EKS Presented by: Ankit Rao
About me Ankit Rao ( @_AnkitRao )  Senior Software Engineer at Zscaler.  AWS certified Solutions Architect.  Cloud and Cloud Security Enthusiast.  AWS Community Builder.  Pune (MH), India
Agenda  Introduction to Elastic Kubernetes Service (EKS).  Cloud Security – A shared responsibility model.  What to secure in EKS ?  How to secure EKS ?  References
What is EKS? - Amazon Elastic Kubernetes Service (Amazon EKS) is a managed Kubernetes service to run Kubernetes in the AWS cloud and on-premises data centers. - Amazon EKS automatically manages the availability and scalability of the Kubernetes control plane.
Cloud Security – A shared responsibility model  Cloud security refers to the technologies, policies, controls, and services that protect cloud data, applications, and infrastructure from threats.  Cloud Security is a shared responsibility model. And why so ?  The diagram from AWS illustrates the same:
What to secure in EKS Network Control Plane Worker Nodes IAM Application pods Data Logs Container images
How to secure EKS ? Use of secure configurations AWS Controllers for Kubernetes Security integrations Logging and monitoring
How to secure EKS ?  Use of secure configurations – Network  Define a network as per the requirements. Enable flow logs for the VPC.  Place EKS nodes in private subnets to avoid exposure to the internet.  Segment subnets by purpose.  Restrictive rules for the control plane and worker node security groups.  Private access for the cluster API server endpoint. If using the public-private mode, ensure you whitelist the trusted sources only, instead of the cluster being accessible from anywhere.
How to secure EKS ?  Use of secure configurations – Control plane  Ensure use of latest available Kubernetes version.  Bare minimum permissions for the EKS cluster IAM role.  Configure RBAC to control access to Kubernetes resources based on user roles and permissions.  Use of envelope encryption feature.  Ensure logging is enabled, which can further be used to create dashboards.
How to secure EKS ?  Use of secure configurations – Worker nodes  Use of private subnet for worker nodes.  Minimal permissions to worker node IAM role. Pod level/subsystem level roles linked to appropriate service accounts can be used.  Use of hardened AMIs with inspector and SSM agent installed.  Segmentation of nodes using separate nodegroups for different use cases, and use of taints for pod scheduling.
How to secure EKS ?  Use of ACK – Access control  Tool that lets you directly manage AWS services from Kubernetes.  Leveraging this, one can define and create IAM roles required by the application pods, at a subsystem/ namespace level as per the need and avoid assigning permission to the global node level.  This can be achieved by using the IAM role and Policy CRD, which can basically be integrated with your deployment templates/helm charts.  This also ensures that the IAM resources are cleaned up along with related deployment.
How to secure EKS ?  Security Integrations – AWS Inspector  Inspector automatically discovers workloads and continually scans them for software vulnerabilities and unintended network exposure.  Once enabled, it will scan the EKS worker node instances and provide the mentioned data.  It also supports scanning of container images stored in ECR.
How to secure EKS ?  Security Integrations – AWS Security Hub  AWS Security Hub automates security best practice checks, aggregate security alerts into a single place and format, and understand your overall security posture across all of your AWS accounts.  You can also see the aggregated findings from Inspector here.
How to secure EKS ?  Logging and Monitoring  Once the logging is enabled during the EKS cluster configuration, they are saved in the Cloudwatch logs.  These logs can be used to monitor the cluster related metrics and alarms can be setup for any unusual events.  Further, application logs can be scraped to tools like Prometheus which can in-turn be used to setup dashboards on Grafana.
References  AWS Elastic Kubernetes Service  AWS Controllers for Kubernetes  Amazon Inspector
Thank You!

More Related Content

PDF
Trusted Application Delivery: Achieving Ultimate Security
byWeaveworks
 
PPTX
Kubernetes security with AWS
byKasun Madura Rathnayaka
 
PDF
Amazon EKS - security best practices - 2022
byJean-François LOMBARDO
 
PDF
Amazon EKS Managed Kubernetes Cluster
bykloia
 
PDF
Amazon Elastic Kubernetes Service (EKS) From Zero to Day 1
byAWS User Group - Thailand
 
PPTX
Meetup CNCF Torino - Amazon EKS March 29th 2019
byMassimo Ferre'
 
PDF
Max Körbächer - AWS EKS and beyond – master your Kubernetes deployment on AWS...
byCodemotion
 
PDF
Max Körbächer - AWS EKS and beyond master your Kubernetes deployment on AWS -...
byCodemotion
 
Trusted Application Delivery: Achieving Ultimate Security
byWeaveworks
 
Kubernetes security with AWS
byKasun Madura Rathnayaka
 
Amazon EKS - security best practices - 2022
byJean-François LOMBARDO
 
Amazon EKS Managed Kubernetes Cluster
bykloia
 
Amazon Elastic Kubernetes Service (EKS) From Zero to Day 1
byAWS User Group - Thailand
 
Meetup CNCF Torino - Amazon EKS March 29th 2019
byMassimo Ferre'
 
Max Körbächer - AWS EKS and beyond – master your Kubernetes deployment on AWS...
byCodemotion
 
Max Körbächer - AWS EKS and beyond master your Kubernetes deployment on AWS -...
byCodemotion
 

Similar to Demystifying Kubernetes Security using AWS EKS

PPTX
Introduction_to_Amazon_EKS, How to use Introduction
byDuyAnho2
 
PDF
Introduction to EKS and eksctl
byWeaveworks
 
PPTX
EKS security best practices
byJohn Varghese
 
PPTX
EKS AWS Presentation kuberneted oriented
byanabella881965
 
PPTX
AWS EKS Security Best Practices
byStackRox
 
PDF
What Is AWS Elastic Kubernetes Service
byAMELIAOLIVIA2
 
PPTX
Running kubernetes with amazon eks
byyanaisama
 
PDF
Lab 3.2 Kubernetes and Containers - 2nd Sight Lab Cloud Security Training
by2nd Sight Lab
 
PDF
From Zero to Production with Amazon EKS Blueprints for Terraform
byTal Hibner
 
PDF
EKS Workshop
byAWS Germany
 
PPTX
EKS New features - Re:invent 2022 recap at AWSUGNL Benelux
byMasoom Tulsiani
 
PDF
kubernetes on awsjourneryssdddddddddddddd
byRubyMallah
 
PPTX
Kubernetes on AWS => EKS || CNCF Meetup Zurich, Feb 2019
byGerd König
 
PDF
Introduction to Amazon EKS - KubeCon 2018
byArun Gupta
 
PDF
Securing your Kubernetes cluster : a step-by-step guide to success! (v2)
byKatia Himeur Talhi
 
PPTX
Eks and fargate
byAsaf Abres
 
PPTX
12 Ways Not to get 'Hacked' your Kubernetes Cluster
bySuman Chakraborty
 
PPTX
Kubernetes Security Act Now Before It’s Too Late
byMichael Furman
 
PPTX
Kubernetes-Fundamentals.pptx
bysatish642065
 
PDF
Shift Right Security for EKS Webinar Slides
byAnchore
 
Introduction_to_Amazon_EKS, How to use Introduction
byDuyAnho2
 
Introduction to EKS and eksctl
byWeaveworks
 
EKS security best practices
byJohn Varghese
 
EKS AWS Presentation kuberneted oriented
byanabella881965
 
AWS EKS Security Best Practices
byStackRox
 
What Is AWS Elastic Kubernetes Service
byAMELIAOLIVIA2
 
Running kubernetes with amazon eks
byyanaisama
 
Lab 3.2 Kubernetes and Containers - 2nd Sight Lab Cloud Security Training
by2nd Sight Lab
 
From Zero to Production with Amazon EKS Blueprints for Terraform
byTal Hibner
 
EKS Workshop
byAWS Germany
 
EKS New features - Re:invent 2022 recap at AWSUGNL Benelux
byMasoom Tulsiani
 
kubernetes on awsjourneryssdddddddddddddd
byRubyMallah
 
Kubernetes on AWS => EKS || CNCF Meetup Zurich, Feb 2019
byGerd König
 
Introduction to Amazon EKS - KubeCon 2018
byArun Gupta
 
Securing your Kubernetes cluster : a step-by-step guide to success! (v2)
byKatia Himeur Talhi
 
Eks and fargate
byAsaf Abres
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
bySuman Chakraborty
 
Kubernetes Security Act Now Before It’s Too Late
byMichael Furman
 
Kubernetes-Fundamentals.pptx
bysatish642065
 
Shift Right Security for EKS Webinar Slides
byAnchore
 

Recently uploaded

PPTX
Authority After Search: How AI Systems Reconstruct Trust, Expertise, and Legi...
byJeff Howell
 
PDF
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
PDF
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PPTX
Career-Opportunities in Industrial Arts Grade 8 PPT Lesson 2
byFSBTLEDNathanVince
 
PDF
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
PPTX
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
Authority After Search: How AI Systems Reconstruct Trust, Expertise, and Legi...
byJeff Howell
 
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
Career-Opportunities in Industrial Arts Grade 8 PPT Lesson 2
byFSBTLEDNathanVince
 
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 

Demystifying Kubernetes Security using AWS EKS

  • 1.
    Demystifying Kubernetes Security usingAWS EKS Presented by: Ankit Rao
  • 2.
    About me Ankit Rao( @_AnkitRao )  Senior Software Engineer at Zscaler.  AWS certified Solutions Architect.  Cloud and Cloud Security Enthusiast.  AWS Community Builder.  Pune (MH), India
  • 3.
    Agenda  Introduction toElastic Kubernetes Service (EKS).  Cloud Security – A shared responsibility model.  What to secure in EKS ?  How to secure EKS ?  References
  • 4.
    What is EKS? -Amazon Elastic Kubernetes Service (Amazon EKS) is a managed Kubernetes service to run Kubernetes in the AWS cloud and on-premises data centers. - Amazon EKS automatically manages the availability and scalability of the Kubernetes control plane.
  • 5.
    Cloud Security –A shared responsibility model  Cloud security refers to the technologies, policies, controls, and services that protect cloud data, applications, and infrastructure from threats.  Cloud Security is a shared responsibility model. And why so ?  The diagram from AWS illustrates the same:
  • 6.
    What to securein EKS Network Control Plane Worker Nodes IAM Application pods Data Logs Container images
  • 7.
    How to secureEKS ? Use of secure configurations AWS Controllers for Kubernetes Security integrations Logging and monitoring
  • 8.
    How to secureEKS ?  Use of secure configurations – Network  Define a network as per the requirements. Enable flow logs for the VPC.  Place EKS nodes in private subnets to avoid exposure to the internet.  Segment subnets by purpose.  Restrictive rules for the control plane and worker node security groups.  Private access for the cluster API server endpoint. If using the public-private mode, ensure you whitelist the trusted sources only, instead of the cluster being accessible from anywhere.
  • 9.
    How to secureEKS ?  Use of secure configurations – Control plane  Ensure use of latest available Kubernetes version.  Bare minimum permissions for the EKS cluster IAM role.  Configure RBAC to control access to Kubernetes resources based on user roles and permissions.  Use of envelope encryption feature.  Ensure logging is enabled, which can further be used to create dashboards.
  • 10.
    How to secureEKS ?  Use of secure configurations – Worker nodes  Use of private subnet for worker nodes.  Minimal permissions to worker node IAM role. Pod level/subsystem level roles linked to appropriate service accounts can be used.  Use of hardened AMIs with inspector and SSM agent installed.  Segmentation of nodes using separate nodegroups for different use cases, and use of taints for pod scheduling.
  • 11.
    How to secureEKS ?  Use of ACK – Access control  Tool that lets you directly manage AWS services from Kubernetes.  Leveraging this, one can define and create IAM roles required by the application pods, at a subsystem/ namespace level as per the need and avoid assigning permission to the global node level.  This can be achieved by using the IAM role and Policy CRD, which can basically be integrated with your deployment templates/helm charts.  This also ensures that the IAM resources are cleaned up along with related deployment.
  • 12.
    How to secureEKS ?  Security Integrations – AWS Inspector  Inspector automatically discovers workloads and continually scans them for software vulnerabilities and unintended network exposure.  Once enabled, it will scan the EKS worker node instances and provide the mentioned data.  It also supports scanning of container images stored in ECR.
  • 13.
    How to secureEKS ?  Security Integrations – AWS Security Hub  AWS Security Hub automates security best practice checks, aggregate security alerts into a single place and format, and understand your overall security posture across all of your AWS accounts.  You can also see the aggregated findings from Inspector here.
  • 14.
    How to secureEKS ?  Logging and Monitoring  Once the logging is enabled during the EKS cluster configuration, they are saved in the Cloudwatch logs.  These logs can be used to monitor the cluster related metrics and alarms can be setup for any unusual events.  Further, application logs can be scraped to tools like Prometheus which can in-turn be used to setup dashboards on Grafana.
  • 15.
    References  AWS ElasticKubernetes Service  AWS Controllers for Kubernetes  Amazon Inspector
  • 16.