Skip to content
Untitled design-Aug-30-2022-06-45-18-73-PM
Tim Smith December 1, 2022 4 min read

How to secure your Amazon EKS Cluster

Mondoo_graphics_How to secure your Amazon EKS Cluster-03

Sometimes when you're running Kubernetes workloads in AWS using EKS, it feels like Amazon is doing your job for you. EKS abstracts away much of the complexity in day-to-day Kubernetes infrastructure management. Tasks like configuring, tuning, and even securing the Kubernetes control plane become an Amazon problem and not a you problem. Unfortunately, when it comes to security, you’re not off the hook. While Amazon’s team of security experts are managing your control plane, the remainder of your cluster security is still up to you.

Full-stack Kubernetes security: beyond the control plane

Just like you wouldn’t consider your cloud infrastructure safe just because you've secured an ALB, your Kubernetes infrastructure isn’t safe just because you've secured etcd or other control plane components. Because security always comes down to the weakest link in the system, it's critical to safeguard not just the control plane, but also cluster nodes, workloads, and even running containers. 

At Mondoo we’ve built a layered approach to Kubernetes protection that we call full-stack Kubernetes security. We monitor:

  • Containers
  • Workloads (deployments, pods, and more)
  • Cluster configuration
  • Cluster nodes
  • The infrastructure your cloud runs on

Only with this layered approach can you ensure that your application infrastructure is truly secure.

full_stack_diagram

Continuously scanning EKS with Mondoo

Mondoo provides full-stack Kubernetes security for your EKS clusters using our Mondoo Kubernetes Operator. The operator runs in the background on your EKS cluster to scan cluster nodes, cluster configuration, individual workloads, and running containers. This layered security insight helps you secure not only the EKS cluster itself but also the workloads that application teams are deploying to your cluster.

The operator also includes an optional Kubernetes admissions controller that scans all new or updated workloads that enter your cluster. The admission controller gives you visibility into the security of newly deployed workloads in addition to the state of existing running cluster workloads.

Learn more about the Kubernetes Operator

Scan your cluster now

To start scanning your cluster, visit https://console.mondoo.com and create a free account. You can log in using your Google, Microsoft, or GitHub account. Once you’re logged in, our trusty mascot, Ada, will help you start scanning your infrastructure.

welcome

Select BROWSE INTEGRATIONS to see a list of integrations you can use to scan your infrastructure with Mondoo. Our top three recommended integrations help you get started securing your AWS and EKS infrastructure.

top_integrations

  • The Amazon AWS integration runs a Lambda function in your AWS account to discover and scan services and EC2 instances without the need to deploy agents. → Learn more about our AWS integration
  • The Workstation installation includes the Mondoo binary for use on your local development workstation. The Mondoo CLI allows you to remotely scan servers over SSH/WinRM and scan cloud accounts, Kubernetes clusters, and even SaaS services without deploying additional infrastructure. You can also use this binary to locally scan Kubernetes manifests, Docker images/containers, and Terraform configs before deploying to staging or production environments.
  • The Kubernetes operator is what we’ll be using today to secure our EKS cluster and workloads. Select Kubernetes to set up the operator integration.

integration_setup

To configure the integration, we’ll provide a name and select which components of our cluster we want to scan. Since we’re interested in securing the complete cluster, we’ll leave the defaults for our prod-eks integration.

Selecting CREATE. You’ll receive a command to run to install the operator and create a Kubernetes secret to store Mondoo platform credentials.

install_command

Once set up, Mondoo will also recommend policies to help you secure your systems. By default, Mondoo applies our out-of-the box cluster/workload security and best practice policies. You can also enable Center for Internet Security (CIS)-certified EKS policies and NSA security policies.

policies

With your policies enabled, Mondoo will now scan your cluster and report cluster and workload security results.

Viewing cluster security

Once the operator has scanned your cluster, you’ll find a number of assets in the Fleet tab.

assets

These assets include the Kubernetes cluster itself (and workloads), the operating systems that run your cluster, and the containers running in the cluster. You can dive deeper into each of these high-level categories to see different groups of scanned assets. 

For example, under Kubernetes, you can view all deployments to get a quick snapshot of your deployment security.

deployments

Select any of these deployments for a detailed view of the asset’s security, including the top vulnerabilities, policy scores, and individual controls. Our example luna/frontend deployment has several critical issues such as the container running as root, which could be used as part of a container escape attack. Each control details the workload security violation and instructions on securing the workload.

results

Security, compliance, and vulnerabilities

Rely on Mondoo to secure all aspects of your Amazon cloud environment. From instances to Kubernetes, from buckets to APIs, Mondoo finds vulnerabilities and misconfigurations that put your organization at risk.

Learn About Full Stack Security for AWS

 

avatar

Tim Smith

Product Manager, Software Developer, Operations Engineer and passionate open source advocate with over a decade of direct involvement in open source projects and communities.
view raw