Enhanced Threat Detection with AWS Security Hub and Red Hat Advanced Cluster Security for Kubernetes

By Will Garcia, Sr. Partner Solutions Architect – AWS
By Mehdi Salehi, Sr. Partner Solutions Architect – AWS
By Shane Boulden, Principal Specialist Solution Architect – Red Hat

Red Hat

Amazon Web Services (AWS) customers have a variety of choices for running Kubernetes workloads, ranging from managed services like Amazon Elastic Kubernetes Services (Amazon EKS) and Red Hat OpenShift Service on AWS (ROSA) to self-managed Kubernetes and other OpenShift implementations.

To secure both platform components and applications running on these environments, there are dozens of open-source and software solutions to choose from. In such an evolving landscape, a common challenge is translating the security requirements from the business and governance perspective into secure policies and compliance mechanisms that are applicable, whether a customer uses one platform or a combination of these.

In this post, we discuss joining the capabilities of Red Hat Advanced Cluster Security for Kubernetes (RHACS) with AWS Security Hub to help you consolidate and act on container security findings through a single pane of glass.

RHACS is developed by Red Hat, an AWS Specialization Partner and AWS Marketplace Seller with the AWS Container Competency. Red Hat offers services to reduce complexity, innovate faster, deploy and secure your applications. RHACS is a Kubernetes-native security platform allowing customers to develop and operate applications safely across multiple Kubernetes and OpenShift clusters.

RHACS supports key container security features such as:

• Vulnerability management, threat detection and response, including mitigations at runtime.
• Compliance and best practices through industry standards like CIS Benchmarks, NIST, PCI, and HIPAA.
• Runtime process and network traffic flow anomaly detection.
• Risk profiling to assist in prioritizing security issues.

To conduct cloud security posture management (CSPM) and initiate security orchestration automation and response (SOAR), it’s equally important to have an integrated security operational model. This is where AWS Security Hub comes into this picture to aggregate findings, provide controls based on regulatory and compliance frameworks, and automate alerts so users can take action on these findings.

Solution Overview

This solution highlights how security findings from RHACS are collected and sent to AWS Security Hub.

Figure 1 – Combining RHACS with AWS Security Hub.

1. Collectors and Sensors are installed in your Kubernetes and OpenShift clusters. In RHACS, these clusters are known as Secured Clusters. These services gather container runtime information such as network activities, and detect or enforce policies.
2. Central provides scanner services for operating system and orchestrator vulnerabilities. A user interface (UI) is available to visualize violations per workload and set of rules, and to manage policies and external integrations.
3. RHACS sends its findings to AWS Security Hub, which continuously performs best practice checks across your AWS infrastructure, and aggregates security findings from third-party partner services including RHACS. This enables you to build a unified view of container and AWS-related security findings in a standardized data format.
4. To provide automated response and remediation, AWS Security Hub sends events data to Amazon EventBridge which acts as a router used to trigger remediation playbooks through AWS Lambda functions, AWS Systems Manager documents, Amazon Simple Notification Service (Amazon SNS), third-party ticketing, and security information and event management (SIEM) systems.

Installing Red Hat Advanced Cluster Security for Kubernetes

In RHACS architecture, a Central cluster manages several Secured Clusters. Central and Secured Clusters services are installed using different methods such as:

• Option 1: Helm charts, or the roxctl command line interface (CLI). This method is required for Amazon EKS and Kubernetes clusters.
• Option 2: RHACS Operator, recommended for ROSA and OpenShift clusters.

In this post, we’ll use the RHACS operator installation method on an example ROSA cluster.

Step 1: Install and Configure Central Services

In your ROSA cluster console, go the OperatorHub and search for Advanced Cluster Security. Select the operator provided by Red Hat, and select Install. You can use the default values to install in the recommended namespace rhacs-operator.

The operator adds two custom resources: Central and Secured Cluster, which can be managed by code or using the operator view below.

First, create a new namespace rhacs-central and create a Central resource under it.

Figure 2 – Creating a Central and Secured Cluster custom resources.

Central services also expose the RHACS portal (UI). You can find the portal URL and access it with the following oc command:

$ echo https://`oc get route central -n rhacs-central -o jsonpath={.spec.host}`:443

The username is admin, and the initial password can be extracted from the central-htpasswd secret using the following command:

$ oc -n rhacs-central get secret central-htpasswd -o go-template='{{index .data "password" | base64decode}}'

We recommend you configure RHACS with an identity provider (IdP) to use multi-factor authentication (MFA), password policies, and manage your users centrally. RHACS supports Lightweight Directory Access Protocol (LDAP), and OpenID Connect (OIDC)-compliant IdPs such as Amazon Cognito.

Step 2: Install and Configure Secured Cluster Services

Each Kubernetes or OpenShift cluster that needs to be monitored by Central requires to have an init bundle and Secured Cluster services installed.

Create a new namespace named rhacs-secured-cluster and install the init bundle which contains secrets used to allow communication between Secured Cluster and Central services. Follow the RHACS documentation to generate and apply it to your Secured Clusters.

In the operator view shown above, select Create new > Secured Cluster under the namespace rhacs-secured-cluster.

If you install Central and Secured Cluster services in a single cluster, use central.rhacs-central.svc.cluster.local:443 as the Central Endpoint. Otherwise, run the command below to find the routable endpoint of your Central cluster:

$ echo `oc get route central -n rhacs-central -o jsonpath={.spec.host}`:443

Once the Secured Cluster installation is complete, verify all components are active for each cluster in the RHACS UI, under Platform Configuration > Clusters.

Figure 3 – Secured clusters in the RHACS console.

Integration with AWS Security Hub

Step 3: RHACS Integration to AWS Security Hub

To connect AWS Security Hub to RHACS, go to the Security Hub console > Integrations, and search for StackRox.

Figure 4 – StackRox’s integration in AWS Security Hub.

Step 4: Configure IAM Permissions

Copy the AWS Identity and Access Management (IAM) policy provided, which includes the permissions required to allow RHACS to send findings to AWS Security Hub. Then, select Accept findings.

Run the following AWS CLI command to create the IAM policy previously copied:

$ export AWS_SECURITYHUB_REGION=<replace-me-with-securityhub-aws-region>
$ export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)

$ cat <<EOF > ./rhacs-securityhub.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "securityhub:BatchImportFindings"
            ],
            "Resource": "arn:aws:securityhub:${AWS_SECURITYHUB_REGION}::product/stackrox/kubernetes-security",
            "Condition": {
                "StringEquals": {
                    "securityhub:TargetAccount": "${AWS_ACCOUNT_ID}"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "securityhub:BatchImportFindings"
            ],
            "Resource": "arn:aws:securityhub:${AWS_SECURITYHUB_REGION}:${AWS_ACCOUNT_ID}:product-subscription/stackrox/kubernetes-security",
            "Condition": {
                "StringEquals": {
                    "securityhub:TargetAccount": "${AWS_ACCOUNT_ID}"
                }	
            }
        }
    ]
}
EOF

$ POLICY_ARN=$(aws iam create-policy --policy-name rhacs-securityhub \
--policy-document file://./rhacs-securityhub.json \
  --query 'Policy.Arn' --output text)

$ aws iam create-user --user-name rhacs-securityhub

$ aws iam attach-user-policy --policy-arn ${POLICY_ARN} --user-name rhacs-securityhub

$ aws iam create-access-key --user-name rhacs-securityhub
<the Access Key ID and Secret Access Key have been redacted>

Step 5: Connecting RHACS to AWS Security Hub

In the RHACS portal, under Platform Configuration > Integrations > Notifier integrations, select AWS Security Hub. Then, select New integration and create an integration using the AWS credentials created earlier.

Figure 5 – Configuring notifiers for RHACS policies.

RHACS provides dozens of policies by default which verify common security issues and best practices at container build, deploy, and runtime. Depending on your requirements, you can also bring in new policies using Import policy (JSON format) or by using the Create Policy UI wizard.

With the notifier configuration above, you’re ready to test the integration. If you wish to send the results immediately to AWS Security Hub for the first time, you can select Reassess all. Otherwise, results will be sent by RHACS in the background after a few minutes.

Once RHACS collects and forwards policy violations, you’ll see them appear in Security Hub under Findings.

Figure 6 – Examples of security findings from RHACS in AWS Security Hub.

For each finding, additional details are available in AWS Security Hub, such as the non-compliant workload resource ID, severity level, and the RHACS policy description.

Figure 7 – View of an RHACS finding in AWS Security Hub for a given workload.

To take action on findings, we recommend you automate alerting and incident response using the AWS Security Hub integration with Amazon EventBridge, which delivers security events to a range of destinations and allows targeted and automated remediation. You can find examples of remediation playbooks in this AWS blog post.

­Cleanup

To avoid incurring charges, if you’re no longer using the RHACS integration discussed in this post:

• Remove Central and each of the SecuredCluster resources, and then uninstall the RHACS operator.
• Remove the IAM user and policy.
• Remove the Security Hub integration in RHACS under Platform Configurations > Integration.
• In Security Hub, select Stop accepting findings under Integrations > StackRox integration.

Conclusion

In this post, we went through the process of setting up Red Hat Advanced Cluster Security for Kubernetes (RHACS) in Red Hat OpenShift Service on AWS (ROSA) to collect vulnerability findings from container images, runtime, and network activities.

ROSA leverages an operator-based installation to create Secured clusters. Amazon EKS clusters are also supported by RHACS, and can be configured as Secured clusters using Helm or the roxctl CLI.

Additionally, we provided the steps to follow in order to centralize these findings into AWS Security Hub.

Combining AWS and Red Hat security services helps harden your organization’s container environment to detect policy violations and build automated compliance for high-risk workloads.

Controls at every stage of the development are key. We also recommend you use RHACS in CI/CD pipelines to simplify your DevSecOps processes, and to explore other integrations such as scanning container images stored in Amazon Elastic Container Registry (Amazon ECR).

Learn more with Red Hat Advanced Cluster Security Cloud Service and Red Hat OpenShift Platform Plus in AWS Marketplace.

.

.

Red Hat – AWS Partner Spotlight

Red Hat is an AWS Specialization Partner that provides added security, reporting, analytics, and technical support to help organizations scale their automation programs. Together, Red Hat and AWS offer you the tools to reduce complexity, innovate faster, and scale your infrastructure in any direction.

Contact Red Hat | Partner Overview | AWS Marketplace