AWS Partner Network (APN) Blog

How Cloudanix Secures Containerized Applications Running on Amazon EKS

By Sujay Maheshwari, Co-Founder and Technology Head – Cloudanix
By Purushottam, Co-Founder and CTO – Cloudanix
By Bharath S, Sr. Partner Solutions Architect – AWS

Cloudanix-AWS-Partners-2023
Cloudanix
Cloudanix-APN-Blog-CTA-2023

Conventionally, Kubernetes security has been approached in a fragmented manner, with separate focuses on the container lifecycle from code build to runtime. This includes container image vulnerability scanning, runtime security, and misconfiguration checks.

Unfortunately, this disjointed strategy prevents practitioners from gaining a complete understanding of their Kubernetes security, as it overlooks the vital connections between security considerations at various stages of the lifecycle. This lack of integration can result in missed opportunities to identify potential vulnerabilities that could later evolve into production runtime threats.

An interconnected approach becomes essential when addressing these challenges. It’s important to acknowledge the intricate relationships between different security stages, enabling a thorough grasp of security implications throughout the entire Kubernetes lifecycle. By doing so, you can facilitate a proactive and synchronized response to emerging threats, ensuring a more robust and effective security posture.

In this post, we will explore how Cloudanix contributes to enhancing the security of a Kubernetes environment in a comprehensive manner. Rather than treating security as separate and disconnected components, Cloudanix enables a cohesive approach by establishing interconnected layers of safeguarding workloads.

Amazon Elastic Kubernetes Service (Amazon EKS) is a managed Kubernetes service to run Kubernetes in the AWS cloud and on-premises data centers. With Amazon EKS, you can take advantage of all the performance, scale, reliability, and availability of AWS infrastructure, as well as integrations with AWS networking and security services.

Cloudanix is an AWS Partner and AWS Marketplace Seller that’s on a mission to maximize return on investment (ROI) of your security stack by giving you one platform instead of multiple different solutions and products.

Safeguarding Containerized Environments

Kubernetes security can be broken down into several key areas to ensure a robust and protected environment:

  • Image security: This involves ensuring the security of the container images your applications run on. It includes practices like scanning images for vulnerabilities, regularly updating base images and dependencies, using trusted sources, and adhering to best practices when creating Dockerfiles.
  • Image repository security: Securing your image repositories involves implementing access controls and authentication mechanisms to prevent unauthorized access or tampering of container images. Properly configuring and securing your image registry such as Amazon Elastic Container Registry (Amazon ECR) is crucial.
  • Kubernetes misconfiguration: Misconfigurations can lead to security vulnerabilities. This area focuses on setting up and maintaining your Amazon EKS)cluster securely. It includes practices like applying the principle of least privilege, using role-based access control (RBAC) effectively, disabling unnecessary APIs, and following Kubernetes’ security recommendations.
  • Runtime security: Once your containers are running in the EKS cluster, securing the runtime environment is essential. Implementing network policies to control communication between pods, using Kubernetes’ native security features like pod security policies, and monitoring for any unauthorized or suspicious activities, fall under runtime security.

Cloudanix Integrations

Cloudanix enables you to implement a holistic Kubernetes security strategy, from build time to runtime, ensuring a resilient environment with reduced attack surface, enhanced compliance, and swift incident response.

  • Build time: Image scanning as part of CI/CD pipeline prevents vulnerabilities from getting pushed to image repositories. This ensures only secure and trusted images are deployed to your Kubernetes cluster, minimizing the risk of running containers with known vulnerabilities.
  • Registry: Continuous image registry scanning ensures only security images are deployed and do not introduce any zero day vulnerabilities. This means even after deploying the application, you can stay vigilant about the security of your container images and address new vulnerabilities as they are discovered.
  • Misconfiguration: Continuous monitoring of misconfigurations enables organizations to discover and remediate them even before bad actors can exploit. Misconfigurations are a significant source of security risks in Kubernetes environments, and by ensuring correct RBAC, network policies, encrypted communication, and properly configured secrets you can minimize the risk of unauthorized access and data breaches.
  • Runtime: Runtime threat detection keeps a watchful eye on the Kubernetes cluster, complementing other security layers and allowing organizations to address threats as soon as they occur. Cloudanix leverages eBPF (Extended Berkeley Packet Filter) to gain deep insights into your cluster’s behavior. This allows you to perform low-level system tracing and provides a real-time view of network activity, process executions, and other runtime activities.

This interdependence creates a robust security posture that bolsters the overall resilience of your Kubernetes environment. Adopting a comprehensive Kubernetes security approach in your AWS environment offers numerous benefits, including:

  • Reduced attack surface: By scanning container images, you can eliminate vulnerabilities at their source, reducing the potential attack surface for adversaries.
  • Enhanced compliance: Meeting regulatory requirements and industry standards becomes more manageable as you implement robust security practices throughout your Kubernetes workflow.
  • Improved incident response: Runtime threat detection empowers you to respond swiftly to potential security incidents and mitigate their impact.
  • Enhanced customer trust: Prioritizing security in your Kubernetes environment demonstrates your commitment to safeguarding customer data and builds trust among your users.

Comprehensive Threat Detection and Analysis

Cloudanix offers integrations throughout every stage of the Kubernetes lifecycle, including vulnerability scanning for images during the build time and achieved through plugins within the CI/CD pipeline. Presently, these plugins encompass various platforms such as GitHub Actions, Bitbucket Pipelines, Jenkins Plugins, and more.

As a component of this comprehensive integration, users have the capability to visually identify vulnerabilities within images and prevent the distribution of compromised images to image repositories. This pertinent data is accessible both within the pipeline itself and on the Cloudanix dashboard.

Cloudanix empowers continuous security with agentless registry scanning, Cron job misconfiguration monitoring, and real-time threat detection for swift triage and remediation.

  • Cloudanix dashboard provides continuous registry scanning through an agentless approach, enabling the correlation and enrichment of image security status. The results are visually displayed for easy comprehension.
  • To ensure ongoing vigilance against misconfigurations, a Cron job is employed within the cluster. This job, seamlessly integrated through Helm charts and equipped with resource limitations, actively monitors for any misconfigurations without disrupting existing workloads.
  • Empowered by an eBPF engine, runtime threat detection operates as a Daemonset on each node. This engine listens, analyzes, and monitors system-level activities. Any potentially threatening or malicious activities trigger immediate flags, promptly viewable on the Cloudanix dashboard. Real-time notifications promptly alert users, facilitating prompt triage and remediation actions.

Cloudanix-Kubernetes-Security-1

Figure 1 – Cloudanix container security platform architecture.

Let’s see how Cloudanix uses AWS services for end-to-end Kubernetes security:

  • Git plugins scan for image vulnerabilities: Git plugins are integrated into the CI/CD pipeline to enhance security and are used to examine Docker images for potential vulnerabilities and weaknesses. Scan results are generated and reported within the Git pipeline itself, allowing developers to receive early feedback on image security. Simultaneously, the identified vulnerabilities are sent to the threat detection engine, a central component responsible for aggregating and analyzing security-related data.
  • Image registry scanner conducts vulnerability scans: The Amazon ECR Scanner is a serverless AWS Lambda function designed to perform vulnerability scans on Docker images. This process is agentless, meaning it doesn’t require any additional software within the images. The Lambda function focuses on images stored in the Amazon ECR, systematically assessing them for potential security flaws. Similar to the previous step, scan findings are relayed to the threat detection engine and consolidates the security information for comprehensive analysis.
  • Cloudanix workloads report findings: Cloudanix operates using scheduled tasks known as Cron jobs and Daemonsets. These tasks run within the Kubernetes environment, continuously monitoring and collecting security-related data from various workloads. The gathered findings are forwarded to Amazon API Gateway for initial processing.
  • Monitoring API gateway directs data to Amazon Kinesis: The monitoring API gateway acts as an intermediary, receiving the incoming security-related messages from Cloudanix. Subsequently, these messages are streamed and directed to Amazon Kinesis Data Streams which prepares the data for further processing, ensuring it’s available for analysis in real-time.
  • Aggregation of vulnerability findings and threat analysis: This step involves the amalgamation of various security findings from distinct sources. Vulnerabilities identified during the build process, image repository scans, Kubernetes configuration checks, and runtime assessments are combined. Cloudanix takes on the crucial role of analyzing, correlating, categorizing, and prioritizing these findings. To aid in its analysis, the threat detection engine leverages resource metadata from a Neo4j graph database, enhancing the contextual understanding of potential threats. Once the analysis is complete, the engine shares the results with Cloudanix and makes the insights accessible.
  • Security team interaction and dashboard usage: The Cloudanix dashboard serves as the primary interface for security teams and DevOps personnel. Security experts can access the dashboard to review consolidated findings and gain valuable insights into the security posture of the environment. Findings are presented in a coherent manner, allowing security teams to collaborate with DevOps to prioritize and address identified vulnerabilities effectively. This collaborative approach ensures security concerns are addressed and the overall security stance of the system is enhanced.

Prerequisites

For a successful integration, the following components are needed:

  • AWS account with following services:
    • Amazon ECR set up and configured
    • AWS Key Management Service (AWS KMS) integrated with ECR
  • GitHub pipeline integration with ECR
  • Amazon EKS cluster set up with CI/CD pipeline
  • Docker Hub account
  • GitHub account with source code repository
  • Cloudanix account

Establishing AWS Account Connectivity

You can boost Kubernetes security effortlessly with Cloudanix in four easy steps. First, connect the AWS account securely using a simple AWS CloudFormation template. Then, seamlessly scan images during the build process with image scanner GitHub Actions. Next, enhance vigilance by adding misconfiguration and runtime threat detection. Lastly, get clear security insights on the user-friendly Cloudanix dashboard for smart decision-making.

Step 1: Connect AWS Account via AWS CloudFormation

Initiate the integration by setting up a CloudFormation stack within Cloudanix. Configure a read-only IAM role, granting secure access to your AWS resources. This pivotal connection ensures Cloudanix can glean valuable insights for robust security analysis, fortifying your Kubernetes environment.

Cloudanix-Kubernetes-Security-2

Figure 2 – Cloudanix platform AWS integration.

Step 2: Integrate Build Time Image Scanning

Incorporate build time image scanning effortlessly by crafting a workflow file for seamless integration with the image scanner GitHub Action. Populate the file with crucial parameters: CLOUDANIX_API_ENDPOINT, CLOUDANIX_AUTHZ_TOKEN, and CLOUDANIX_IDENTIFIER, empowering the process with vital security context. This cohesive integration ensures each image undergoes rigorous scrutiny, enhancing your overall security stance.

Cloudanix-Kubernetes-Security-3

Figure 3 – Cloundanix’s build time image scanning.

Step 3: Integrate Misconfiguration and Runtime Threat Detection

Effortlessly incorporate the misconfiguration and runtime threat detection module from the Workloads page. Begin by adding the Helm repository, followed by a streamlined chart installation with essential parameters: authToken, accountId, clusterIdentifier, and clusterDomain. This seamless integration empowers your security infrastructure to actively detect and mitigate potential threats, fostering a resilient cloud environment.

Step 4: Unveil Security Findings on the Cloudanix Dashboard

Effectively visualize the identified findings through an intuitive and informative presentation on the Cloudanix dashboard. This visual representation provides a comprehensive overview of security insights, aiding in swift understanding and informed decision-making. The Cloudanix dashboard serves as a focal point for actionable data, enhancing your ability to prioritize and address potential vulnerabilities.

Cloudanix-Kubernetes-Security-4

Figure 4 – Cloudanix security dashboard.

Configuring Parameters

Fine-tune your security strategy by configuring tailored alerts for findings within the Alerts section of your linked AWS account in Cloudanix. Customize alerts to your preference, choosing from a variety of channels such as email (default), Slack, Teams, PagerDuty, and Webhooks. This versatile alert configuration empowers you to stay informed across multiple platforms, ensuring rapid response to emerging security insights.

Conclusion

In this post, we emphasized the significant value that comes with a comprehensive approach to securing Kubernetes. This involves integrating security measures at every stage of the Kubernetes lifecycle.

Ensuring the security of Kubernetes within AWS environments isn’t a one-time task; it’s an ongoing effort aimed at safeguarding workloads against potential threats. By adopting a holistic security strategy that begins with image scanning in your CI/CD pipeline, extends to image registry scanning, and encompasses runtime threat detection within the cluster, you can establish multiple layers of defense against security vulnerabilities.

The advantages of a robust Kubernetes security plan extends beyond risk mitigation. It fosters trust among customers and stakeholders, enhances compliance with regulations, and bolsters your organization’s overall security posture. Security is a shared responsibility, and continuous education and awareness among teams is crucial for maintaining a security-first mindset.

Adhering to best practices, staying updated on the latest security developments, and leveraging AWS-native security services enables you to embrace Kubernetes in your AWS environment. Remember, security shouldn’t be an afterthought but an integral component of your journey to success in the realm of cloud-native operations. Embrace it, and your Kubernetes workloads will thrive securely on AWS.

.
Cloudanix-APN-Blog-Connect-2023
.


Cloudanix – AWS Partner Spotlight

Cloudanix is an AWS Partner that’s on a mission to maximize ROI of your security stack by giving you one platform instead of multiple different solutions and products.

Contact Cloudanix | Partner Overview | AWS Marketplace