1) The document discusses new AWS security services for container threat detection, including Amazon GuardDuty for EKS, Amazon Inspector, and AWS Security Hub. 2) It provides information on how these services can help secure containers by providing visibility, improving security posture, and automating responses to threats. 3) Recommendations are given on how to integrate and leverage these services for continuous threat monitoring, vulnerability management, and streamlining security workflows across container environments.

1. T O R O N T O | J U N E 2 2 – 2 3 , 2 0 2 2

2. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
New AWS security services for
container threat detection
Jeff Lombardo
S E C 3 0 1
Sr. Solutions Architect, Security Specialist
AWS

3. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Raise the bar on your container security posture
Empower SecOps and DevOps
teams to unify visibility and
automate responses to help
them achieve operational
excellence in cloud security
Integrate AWS security
services to achieve continuous
threat detection, optimized
route workflows, and minimal
remediation time

4. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reduced risk
Operational
efficiency
Speed
Agility
Reduced operational burden by
removing undifferentiated heavy lifting
Consistent environment improves
developer velocity
Automation increases speed and ease
of testing and iterating
Uniform security across environment,
maintained with automation
Why customers adopt containers

5. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Drivers and challenges for Containers adoption
Security is a top driver and a top challenge
7 Millions
6 Millions
5 Millions
4 Millions
3 Millions
2 Millions
1 Million
0
2016 2022 2025
Source: IDC Container Infrastructure Software Market Assessment (January 2022)

6. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Organizations need better visibility and security
to optimize their next-gen cloud applications
Increase operational efficiency
for your cloud-based
workloads and applications
Improve
visibility
Enhance security
posture

7. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use AWS services to achieve operational
excellence in securing your cloud environment
Centralize threat detection and monitoring
Improve security posture assessment
Optimize vulnerability management
Streamline root cause analysis
Improve sensitive data discovery
Initiate and route workflows to existing systems
Prioritize critical findings
Automate remediation
Scale deployments
Amazon
Detective
AWS
Organizations
Amazon
GuardDuty
Amazon
Macie
Amazon
Inspector
AWS Security
Hub

8. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon GuardDuty
for EKS Protection

9. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon GuardDuty: Expanded coverage for
Amazon EKS

10. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EKS control plane API and audit logs
Kubernetes control plane API – HTTP API to query and manipulate the state of API objects
in Kubernetes
Pods, namespaces, ConfigMaps, events
Audit logs provide information on API interactions
• What happened?
• When did it happen?
• Who initiated it?
• On what did it happen?
• Endpoints, pods, ConfigMap, etc.
• Where was it observed?
• Where was it initiated?
• Where was it going?

11. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What can GuardDuty for Amazon EKS detect?
Currently 27 finding types
Credential access
MaliciousIPCaller
MaliciousIPCaller.Custom
SuccessfulAnonymousAccess
TorIPCaller
Defense evasion
MaliciousIPCaller
MaliciousIPCaller.Custom
SuccessfulAnonymousAccess
TorIPCaller
Discovery
MaliciousIPCaller
MaliciousIPCaller.Custom
SuccessfulAnonymousAccess
TorIPCaller
Impact
MaliciousIPCaller
MaliciousIPCaller.Custom
SuccessfulAnonymousAccess
TorIPCaller
Persistence
ContainerWithSensitiveMount
MaliciousIPCaller
MaliciousIPCaller.Custom
SuccessfulAnonymousAccess
TorIPCaller
Policy
AdminAccessToDefaultServiceAccount
AnonymousAccessGranted
ExposedDashboard
KubeflowDashboardExposed
Execution
ExecInKubeSystemPod
Privilege escalation
PrivilegedContainer
https://go.aws/3GMDzIx

12. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
GuardDuty EKS findings detail

13. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Remediation of GuardDuty for EKS findings
• Make cluster API endpoint private
▪ If public is a must, then allow list specific CIDR IP addresses
• Review and revoke unnecessary anomalous access
• Reverse actions taken – where appropriate
• Rotate credentials and secrets of impacted users
• Isolate pods, revoke pod credentials, and gather data for forensics
• Terminate pods or nodes
• Patch container image and redeploy
GuardDuty Kubernetes remediation guidance:
https://go.aws/3GMVmzg
Amazon EKS security best practices:
https://bit.ly/3wZ7EQA
Automate
wherever
you can

14. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Where can you use GuardDuty for EKS Protection?
Development
Amazon EKS
Cluster
GuardDuty
Test
Amazon EKS
Cluster
GuardDuty
Production
Amazon EKS
Cluster
GuardDuty
Sandbox
Amazon EKS
Cluster
GuardDuty
Security
GuardDuty
AWS CodePipeline
Deployment pipeline

15. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Inspector

16. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Inspector: How it works

17. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How Amazon Inspector scans container images
• Retrieve the image from Amazon ECR
• Extract each layer of the image
• Look at OS and the installed packages
• Look through the file system for other files
• Compare against vulnerability database

18. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Inspector findings for container images
• Available in Amazon Inspector and Amazon ECR consoles
• Repositories configured for continuous scanning
• All findings closed 30 days after image was first pushed to the repo
• No further scanning of the image occurs
• Repositories configured only for scan on push
• Findings will remain open until the image is deleted
• Closed findings are deleted after 30 days
• Deleting an image closes the associated findings

19. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon ECR scan results in Amazon Inspector

20. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Scan results in Amazon Inspector
by container image

21. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Scan results in Amazon Inspector
by image findings

22. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Scan results in Amazon Inspector by image layer

23. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Remediating Amazon Inspector
container findings
• Delete the image in the Amazon ECR
repository
• Create an issue in the code repository
• Create a push request in the
code repository
• Publish an updated image

24. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Using Amazon Inspector and
container image scans
AWS Code Pipeline
Security monitoring
AWS Security Hub
Findings
Build
image
Build
Amazon ECR
Registry
Image
Scan
Results
AWS
CodeBuild
Amazon
Inspector
Amazon GuardDuty

25. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Inspector notifications
for container image scans
Amazon ECR
Image
Amazon Inspector Amazon EventBridge
Scan status
event
Push
event
Amazon EventBridge Target service

26. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Inspector container scan events
{
"version": "0",
"id": "20d26d65-1111-2222-333-e71a63f889ad",
"detail-type": "Inspector2 Coverage",
"source": "aws.inspector2",
"account": "<account ID>",
"time": "2022-01-21T21:14:49Z",
"region": "us-east-1",
"resources":
[
"arn:aws:ecr:us-east-1:<account ID>:repository/ictu/sha256:0298122deacefd0cxxx"
],
"detail":
{
"scanStatus":
{
"reason": "SUCCESSFUL",
"statusCodeValue": "ACTIVE"
},
"eventTimestamp": "2022-01-21T21:14:44.588013Z"
}
}

27. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Verify containers / Deploy post Inspector scan
Check Amazon
Inspector results
Trigger container
deploy
Results
okay?
D ’
deploy
No
Yes
Amazon ECR
Image
Amazon Inspector Amazon
EventBridge
Scan
status
event
Push
event Amazon
EventBridge

28. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Verify containers/stage
post-Amazon Inspector scan
Staging Amazon ECR
repository
Image
Amazon Inspector Amazon EventBridge
Check Amazon
Inspector results
Deploy Amazon ECR
repository
Results
okay?
D ’
move
No
Yes
Deploy
Amazon Inspector
Important!
Monitor Amazon Inspector
findings from both repositories

29. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Using multi-account Amazon Inspector for
image scans
Security account
Amazon Inspector
Registry
Build account
Registry
Prod account
Amazon Inspector
Amazon
EventBridge
Events
EC2
EC2
EC2
Amazon
EventBridge
Findings
Security operators
Amazon Inspector

30. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Hub

31. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Hub with GuardDuty and
Amazon Inspector

32. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-account and multi-team strategy
Security account
Account 1 Account 2 Account 3
AWS Security Hub
GuardDuty
Amazon EKS
GuardDuty
Security
Hub
Security
Hub
Amazon EKS Registry
Registry
EC2
EC2
Amazon EKS
GuardDuty
Security Hub
Amazon
EventBridge
Findings
Security operators
Automation document
AWS Lambda
Amazon Kinesis Data Streams
Amazon SNS
Rules
Amazon Inspector Amazon Inspector

33. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Additional resources
AWS containers roadmap
Raise, influence, contribute
Amazon EKS Security Best Practices
luster Auto Scaling, reliability, and Windows Containers
AWS EKS workshop
Beginner
• AWS IAM groups for cluster access
• AWS IAM roles for services accounts
• Security groups for pods
• Network policies
• Secure secrets management
Intermediate
• CI/CD pipeline
• Logging with Amazon OpenSearch Service
• Open policy agent
• AWS App Mesh
Advanced
• Service mesh with Istio
• Machine learning with Kubeflow
• Machine learning with Amazon EMR

34. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Deepen your skills with digital
learning on demand
Access 500+ free digital courses
and Learning Plans
Earn an industry-recognized
credential
AWS Skill Builder AWS Certifications
Explore resources with a variety
of skill levels and 16+ languages
to meet your learning needs
Join the AWS Certified community
and get exclusive benefits
Receive Foundational,
Associate, Professional,
and Specialty certifications
Train now
Access new
exam guides
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Learn in-demand AWS Cloud skills

35. Thank you!
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.

36. Please complete
the session survey
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.