Deploying DevSecOps on Amazon EKS with Aqua Security — Part 1

Editor’s note: This is the first of a two-part series with Aqua Security. Read Part 2 >>

By Irshad A. Buchh, Sr. Partner Solutions Architect at AWS
By Manasi Prabhavalkar, Cloud Integration Architect at Aqua Security

Customers running their microservices-based applications on Amazon Elastic Kubernetes Service (Amazon EKS) come to Aqua Security looking for guidance about architecting end-to-end continuous integration and continuous deployment (CI/CD) pipelines using DevSecOps principles.

DevSecOps, sometimes called security as code, integrates security best practices into a DevOps pipeline instead of bolting them on at the end. It’s a new security paradigm that can evolve with fast-changing security requirements.

Aqua Security is an AWS Advanced Technology Partner with the AWS Containers Competency. They have formulated a security portfolio that provides coverage throughout the application development lifecycle while also securing the underlying infrastructure.

In this post and a later post, we’ll show you how to integrate Aqua’s DevSecOps solutions into your Amazon Web Services (AWS) environments:

• Part 1 — How to set up Aqua Cloud Native Security Platform and Aqua Enforcers on Amazon EKS clusters.
• Part 2 — (coming soon) How Aqua Security can help implement a secure application development lifecycle, from the build stage to production, using static application security testing (SAST) and dynamic application security testing (DAST) patterns.

Aqua Cloud Native Security Platform

According to devopsonline, DevSecOps has five principles:

1. Deliver small, frequent releases using agile methodologies.
2. Wherever possible, make use of automated testing.
3. Empower developers to influence security changes.
4. Ensure you are in a continuous state of compliance.
5. Be prepared for threats, always invest in advanced training for your engineers.

Aqua Cloud Native Security Platform (Aqua Platform) is a comprehensive collection of security capabilities that provides full lifecycle security up and down the technology stack across containers, orchestrators, cloud virtual machines (VMs), and serverless functions.

Aqua Platform secures existing workflows and workloads, facilitates regulatory compliance, enforces immutability, and captures security data for forensics.

Aqua Platform performs the grunt work of automating security throughout the application lifespan, enabling customers to concentrate on their core business competencies. It takes a segmented approach to securing the build artifacts, first securing the infrastructure they are running on, and then securing the workloads themselves.

This approach provides clear visibility and granular control into the security posture of your environment. It scans the pipeline artifacts or images for risks such as vulnerabilities, malware, and sensitive data.

Aqua also continuously scans the image registry, where the images are staged, for newly discovered risks. Finally, it secures the application in production by implementing runtime protection and micro-segmentation, simultaneously collecting data at every step for forensics.

Aqua Platform has three key differentiators:

• Risk-Based Insights — Holistic approach for prioritizing risks based on factors such as network attack vectors and exploitability, in a specific application context, within a given customer environment.
  .
• Dynamic Threat Analysis (DTA) — Elevates your security practices by running images in a secure sandbox to keep up with sophisticated zero-day attacks and well-hidden evasive malware that lurk in the blind spots of static scans.
  .
• Aqua vShield — Compensatory virtual patching mechanism that acts as a shield to safeguard workloads from exploitation of known vulnerabilities that may or may not have a fix yet, without modifying the image.

Aqua Enforcers

Aqua takes a policy-driven approach to enforce security for remediation and compliance. To do this effectively, it uses Aqua Enforcers to monitor the runtime activity of containers, collect information about the running workloads, and enforce security based on the policies defined.

Aqua provides various types of Enforcers tailored specifically to different deployment environments. They are purposefully deployed close to the application to accurately enforce security.

Together, Aqua Security and Amazon EKS provide a highly-controlled environment that greatly reduces the attack surface before your application is even deployed, and automatically detects and responds to anomalies during runtime.

Aqua Enforcers for Amazon EKS are deployed as a Kubernetes DaemonSet on every cluster worker node to be managed by Aqua. DaemonSets ensure all Amazon EKS cluster nodes run a copy of a pod, and allow Aqua to run a daemon on every node. Enforcement can be applied to containers, hosts, and the network activity between them in the form of firewall policies.

Solution Architecture

Figure 1 shows the architecture for deploying Aqua Platform on Amazon EKS inside an Amazon Virtual Private Cloud (Amazon VPC), depicted as Aqua VPC in the diagram, and AWS Region.

Figure 1 – Architecture of Aqua Platform providing security for Amazon EKS.

The architecture uses two different Amazon VPCs for segregating the production application traffic from security enforcement. The VPC shown in the right side of Figure 1 hosts the Aqua Platform application, which is deployed in an Amazon EKS cluster of its own for scaling and high-availability considerations.

A private Amazon Relational Database Service (Amazon RDS) Postgres database is deployed in the same Aqua VPC, enabling a communication channel to the Aqua Console.

Aqua Console is the brains of this ensemble, and uses the RDS Postgres database on the back end to store security policy and audit information. The console comes with a user interface for defining security policies, auditing compliance, and reviewing status. It also includes an embedded scanner that performs static scanning of all the assets in your Amazon EKS environments.

The Workload VPC on the left of Figure 1 hosts Aqua Enforcer. It’s the most versatile component in the solution, and is deployed closer to the workloads. For Amazon EKS, Aqua deploys it as a DaemonSet on all the Kubernetes worker nodes. It is responsible for auto-discovery of assets, as well as enforcement of the policies defined in the Aqua Console.

This communication happens via the Aqua Gateway, which aggregates all of the security data and provides it to the Aqua Console and to any security information and event management (SEIM) integrations that might want to consume it.

How to Deploy Aqua Security on Amazon EKS Clusters

This procedure deploys Aqua Platform on one Amazon EKS cluster to provide DevSecOps before the application is deployed, and Aqua Enforcers on another EKS cluster to monitor the application during runtime. It has seven steps:

1. Create and configure an AWS Cloud9 environment.
2. Create an Amazon EKS cluster for Aqua Platform.
3. Create an RDS Postgres database for Aqua Platform.
4. Install Aqua Platform on Amazon EKS cluster.
5. Create an Amazon EKS cluster for running application workloads.
6. Deploy Aqua Enforcers on the workload cluster.
7. Create an Aqua Enforcer group on the workload cluster.

Prerequisites

Before you attempt to do these steps, make sure you have:

• An AWS account
• Aqua license
• GitHub account

Step 1: Create and Configure an AWS Cloud9 Environment

To create and configure an AWS Cloud9 environment, follow these steps.

a. Create the AWS Cloud9 environment.

Log in to the AWS Management Console and search for Cloud9 service in the search bar:

Figure 2 – Search for Cloud9 service in AWS Management Console.

Select Cloud9 from the results.

In Cloud9, create an AWS Cloud9 Amazon Elastic Compute Cloud (Amazon EC2) instance hosting Amazon Linux in the us-east-1 region.

Launch the AWS Cloud9 integrated development environment (IDE).

b. Install and configure kubectl.

Open a new terminal session.

Install kubectl and aws-iam-authenticator on the AWS Cloud9 Amazon Linux machine by entering these commands in succession:

curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.16.8/2020-04-16/bin/linux/amd64/kubectl

chmod +x ./kubectl

mkdir -p $HOME/bin && cp ./kubectl $HOME/bin/kubectl && export PATH=$PATH:$HOME/bin

echo 'export PATH=$PATH:$HOME/bin' >> ~/.bashrc
kubectl version --short --client

rm kubectl

curl -o aws-iam-authenticator https://amazon-eks.s3.us-west-2.amazonaws.com/1.16.8/2020-04-16/bin/linux/amd64/aws-iam-authenticator

chmod +x ./aws-iam-authenticator

mkdir -p $HOME/bin && cp ./aws-iam-authenticator $HOME/bin/aws-iam-authenticator && export PATH=$PATH:$HOME/bin

echo 'export PATH=$PATH:$HOME/bin' >> ~/.bashrc

aws-iam-authenticator help

rm aws-iam-authenticator

wget https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64

mv jq-linux64 $HOME/bin/jq

chmod +x $HOME/bin/jq

c. Upgrade awscli.

Enter these commands in succession:

aws --version

pip install awscli --upgrade --user

sudo pip install --upgrade pip

d. Install  eksctl and jq.

Enter these commands in succession:

curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp

sudo mv /tmp/eksctl /usr/local/bin

eksctl version

sudo yum install jq

e. Attach the IAM role.

Attach the AWS IAM role to your Cloud9 Amazon EC2 instance.

f. Update the IAM setting.

Update the AWS IAM setting of your Cloud9 Amazon EC2 instance.

g. Install aquactl.

Enter these commands in succession.

wget  "https://get.aquasec.com/aquactl/stable/aquactl"

chmod +x ./aquactl

./aquactl --help

Step 2: Create an Amazon EKS Cluster for Aqua Platform

You can deploy the Aqua Platform application in an existing Amazon EKS cluster in a separate namespace. For easier scaling and high-availability, deploy it in an Amazon EKS cluster of its own in a separate virtual private cloud (VPC).

Aqua recommends creating a private node group with at least two nodes to deploy the application, and using AWS network address translation (NAT) gateways for internet connectivity. The Aqua VPC block in the architecture diagram in Figure 1 shows this configuration.

To create the cluster, use the eksctl command:

eksctl create cluster -f cluster.yaml

The eksctl command creates the cluster with the configuration specified by this file:

cat << EOF > cluster.yaml

# cluster.yaml
# A cluster with a managed nodegroup and private networking.
---
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig

metadata:
  name: aqua-cluster
  region: us-east-1

# Multiple Availability Zones can be added here except for us-east-1e, which doesn't support Amazon EKS availabilityZones:
  - "us-east-1a"
  - "us-east-1b"

managedNodeGroups:
  - name: managed-ng-1
    minSize: 1
    maxSize: 2
    desiredCapacity: 2
    volumeSize: 20
    privateNetworking: true
    iam:
      withAddonPolicies:
        externalDNS: true
        certManager: true
EOF

Step 3: Create an Amazon RDS Postgres database for Aqua Platform

As previously shown in Figure 1, Aqua Platform requires a Postgres database to store operational data such as policies, configuration data, and audit events. To provision Amazon RDS with a PostgreSQL engine option, launch this AWS CloudFormation template inside your AWS account:

In the window that appears, fill in the parameters as shown in Figure 3.

Figure 3 – Fill in RDS parameters in AWS CloudFormation template.

Once Amazon RDS is provisioned, write down the RdsInstanceEndpoint in the AWS CloudFormation output, which you’ll use in Step 4.

Figure 4 – Write down the RdsInstanceEndpoint from AWS CloudFormation output.

Step 4: Install Aqua Platform on Amazon EKS Cluster

The interactive Aqua Security aquactl command line tool simplifies the deployment of Aqua Platform on a variety of environments, including Amazon EKS. To install and use it, follow these steps.

a. Go to the AWS Cloud9 IDE.

b. Display the options of the aquactl command:

./aquactl deploy csp –help

c. Install Aqua Platform with all its components on Amazon EKS:

./aquactl deploy csp --gateway-service LoadBalancer

This command exposes the Aqua Gateway Service using an elastic load balancer. It’s an interactive command line tool, so it prompts you to enter all the relevant options.

d. Respond to the aquactl command-line prompts shown in Figure 5.

These are:

• • Aqua license details.
  • Amazon RDS details (including Database IP or DNS URL).
  • Aqua password.

Figure 5 – aqualctl prompts for Aqua license details, RDS details, and an Aqua password.

e. Save the Aqua Console and Aqua Gateway Service endpoints.

Using the Cloud9 terminal, run the following commands in sequence:

AQUA_ELB=$(kubectl get svc aqua-web --namespace aqua -o jsonpath="{.status.loadBalancer.ingress[0].hostname}")

AQUA_CONSOLE="http://$AQUA_ELB:8080"

AQUA_GATEWAY=$(kubectl get svc aqua-gateway --namespace aqua -o jsonpath="{.status.loadBalancer.ingress[0].hostname}")

f. Log in to the Aqua Console.

Open a browser and log in to the Aqua Console using the Aaua Console URL from Step e, plus the Aqua administrator password.

g. Once you are logged in, enter the Aqua license token from your Aqua account.

The Aqua server responds with compliance status and security policy information to enforce.

Step 5: Create an Amazon EKS Cluster for Application Workloads

As you may recall from Figure 1, we separate security enforcement from application traffic by using two Amazon EKS clusters. We already created and configured the cluster for security enforcement. To create the cluster that hosts the application workloads, follow these steps.

a. Create the Amazon EKS cluster.

Run the following command:

eksctl create cluster --name=workload-cluster --nodes=2 --region=us-east-1 --zones us-east-1a,us-east-1b

b. Rename the cluster context to avoid confusion.

First ensure you are on the right cluster by setting the cluster-context:

kubectl config use-context workload-eks

Then use the kubectl config rename-context command to rename the Amazon EKS contexts:

Figure 6 – Use the kubectl command to rename Amazon EKS contexts.

Step 6: Deploy Aqua Enforcers on the Workload Cluster

Use the aquactl command to begin the command-line deployment process:

./aquactl deploy enforcer --gateway=$AQUA_GATEWAY:3622

Figure 7 – Use the aquactl command to deploy Aqua Enforcers.

Step 7: Create an Enforcer Group on the Workload Cluster

Follow these instructions:

a. Get the ENFORCER_TOKEN.

Run the following commands in Cloud9:

ENFORCER_TOKEN=$(kubectl get secret -n aqua enforcer-token -o json | jq -r .data.token | base64 -d)

echo $ENFORCER_TOKEN

This is how the token looks:

Figure 8 – Aqua Enforcer token.

b. Log in to the Aqua Console.

Open a browser tab and log in to the Aqua Console using the Database IP or DNS URL from the AWS RDS details highlighted in Figure 5, plus the Aqua administrator password.

c. Add Enforcer Group.

Select the Enforcers link on the left of the screen, then the Add Enforcer Group button. This screen is displayed.

Figure 9 – Fill in the fields in the Aqua Enforcer Group screen.

• • Enter a group name.
    .
  • In the Deployment Token field, enter the ENFORCER_TOKEN as the deployment token.
    .
  • Set the Security Settings to Enforce, and select all the check boxes under Auditing, Container Protection, Host Protection, and Advanced Settings.
    .
    Select the Create Group button.
    .
  • Refresh the screen to discover the Enforcers. The screen displays their status.

Figure 10 — Status of Enforcers in Aqua Workload Enforcer group.

This completes the setup process.

Next Steps

We have shown you how to deploy Aqua CPS and Aqua Enforcers on two separate Amazon EKS clusters. Aqua Platform hosted on one Amazon EKS cluster provides a unified view across various environments for better visibility and control. Aqua Enforcers on the second Amazon EKS cluster secure the production workload deployed on it.

The second part of this series, to be published soon, dives deeper to discuss how Aqua Security can help implement a secure application development lifecycle, from the build stage to production, using static application security testing (SAST) and dynamic application security testing (DAST) patterns.

Conclusion

Aqua Platform can help secure your DevSecOps pipelines and production workloads. No matter where you are in your cloud-native journey, Aqua Platform simplifies security by providing actionable, real-time insights and accurate security analytics that often remain unaddressed by legacy security practices.

Aqua Cloud Native Security Platform doesn’t just help you implement and secure one piece of your application lifecycle and infrastructure. It provides you with an end-to-end solution for developing and building a robust and secure application—and running it securely in your production environments.

For more information, please contact Aqua Security.

.

.

Aqua Security – AWS Partner Spotlight

Aqua Security is an AWS Competency Partner. They have formulated a security portfolio that provides coverage throughout the application development lifecycle while also securing the underlying infrastructure.

Contact Aqua Security | Solution Overview | AWS Marketplace

*Already worked with Aqua Security? Rate the Partner

*To review an APN Partner, you must be an AWS customer that has worked with them directly on a project.