AWS Partner Network (APN) Blog

Uncover Malicious Activity and Protect Amazon EKS Workloads from Network-Based Threats Using Calico Cloud

By Gokhul Srinivasan, Sr. Partner Solutions Architect, Global Startups – AWS
By Dhiraj Sehgal, Partner and Solution Marketing – Tigera

Connect with Tigera-2

Kubernetes (k8s) is a powerful and popular open-source container orchestration system for managing containerized applications. Amazon Elastic Kubernetes Service (Amazon EKS) is a managed Kubernetes offering helping Amazon Web Services (AWS) customers build enterprise-scale solution.

With Amazon EKS, developers can easily deploy, scale, and manage containerized applications across a cluster of machines. As EKS environments grow and support critical business operations, securing these environments becomes increasingly important.

Tigera’s Calico Cloud provides an active security platform with full-stack observability for containers and Kubernetes. In this post, we will explain how to uncover malicious activity and protect your workloads in Amazon EKS using Calico Cloud.

Tigera is an AWS Containers Competency Partner and AWS Marketplace Seller that prevents, detects, troubleshoots, and automatically mitigates exposure risks of security issues in the build, deploy, and runtime stages.

Enterprise Kubernetes Adoption

To reduce costs, achieve faster deployment times, and improve operational efficiencies, organizations are increasingly adopting Amazon EKS for their business-critical applications.

Organizations follow AWS Kubernetes best practices to design and operate their Kubernetes workloads, but they still require a strong security profile to protect against malicious threats, adhere to compliance, and address security policy violations. The downside associated with a security breach or compliance violation is severe, especially in regulated industries like financial services, healthcare, insurance, and telecommunications.

Microservices running as containers expand their applications attack surface. Traditional security approaches that rely on vulnerability detection and misconfigurations at container-based activities are not adequate for securing cloud-native applications, as network-based threats are important to monitor at the workload level. You need to observe and monitor Kubernetes clusters for malicious activity at the process level and network to actively manage security, compliance, and internal and external threat vectors.

To address these concerns, you need an active Kubernetes security platform that provides application control, services security, and compliance while reducing operational complexity.

Calico Cloud delivers runtime threat defense for both container-based and network-based threats for containerized workloads. It has built-in eBPF-based probes that collect workload activity data across network traffic, file system, process information, and system calls.

The threat defense engine compares data from these probes, in near real-time, with known malicious attacks based on the Mitre framework to create alerts and recommended security policies to mitigate the impact of security risk.

Network-based threats are addressed by Calico Cloud with IDS/IPS based on AlienVault and customer threat feeds, workload-centric web application firewall (WAF), anomaly detection, and deep-packet inspection.

Calico for Network-Based Threats

It’s important to understand the components of an Amazon EKS cluster and how they interact. EKS clusters consist of master nodes, responsible for managing the state of the cluster and scheduling tasks, and one or more worker nodes which run the containerized applications. The master nodes communicate with the worker nodes using the Kubernetes API, which is exposed over the network.

One of the first things to consider when securing EKS is the networking configuration. By default, the Kubernetes API is exposed on all worker nodes, which can make it vulnerable to attacks. To mitigate this risk, it’s recommended to restrict access to the Kubernetes API to specific IP addresses or CIDR ranges.

This can be achieved by configuring a network security group (NSG) on AWS, which allows you to control inbound and outbound traffic to the worker nodes. Many customers use AWS WAF that secures at the cluster and node level.

Calico Cloud protects containerized workloads at a granular container level from network-based external threats and lateral movement. This combination of AWS WAF and Calico Cloud’s workload-centric WAF, provide customers a multi-layer defense from security attack across all level.

With north-south and east-west protection support, Calico Cloud prevents malicious actors from gaining a foothold and moving laterally across Kubernetes clusters.

Unlike traditional firewalls that rely on fixed network addresses, Calico Cloud’s workload-based security controls apply security policies as code to ensure consistent, deep, and granular container-level protection across multi-cloud and hybrid environments. These security controls are provided as declarative policies, ensuring each and every workload has the same level of protection regardless of the environment.

Calico Cloud’s workload-based security for network-based known and unknown threats are:

  • Global alerts.
  • Intrusion detection and prevention.
  • Deep packet inspection.
  • Honeypods to detect and trap malicious traffic/actors/activity.
  • Protection from denial-of-service (DoS) attacks.
  • Workload-based WAF.
  • Unified cloud security that works across multi-cloud and hybrid environments.
  • Real-time view of workload communication and security gaps.
  • Security policy recommender.
  • Alert and quarantine affected workloads.

Network-Based Threat Defense for Kubernetes Workloads

Below are some of Calico Cloud’s network-based threat defense capabilities.

Global Alerts

A global alert resource represents a query that’s periodically run against data sets collected by Calico. Using Calico Cloud and global alerts together, users can monitor their services and applications in Amazon Elastic Compute Cloud (Amazon EC2) and EKS, quickly identify malicious behavior, and significantly reduce time to address the security threats.

Users can also address the following:

  • Lateral movement by the attacker in AWS deployment: Monitor all flows within your AWS or EKS cluster for threat and lateral movement detection.
  • Botnet, command and control, VPN-TOR: Ingest threat feeds in AWS environments to identify IP addresses for known bad actors such as botnets. Any ingress or egress traffic to those IPs is automatically blocked and can be configured to generate alerts. In addition, traffic to VPNs and TOR exit nodes is blocked and triggers alerts when detected.
  • Malicious DNS queries: Use suspicious domain feeds to flag any domain name service (DNS) requests to a malicious domain from your AWS or EKS based Kubernetes workload.
  • Cloud metadata API attacks: Identify workload flows that attempt to connect to cloud resources like metadata API if you’re on Kubernetes etcd or role-based access control (RBAC), where an attacker attempts to enumerate access and elevate their privileges.
  • Snort signature-based IDS for containers: Monitor traffic to the container and identify malicious traffic by utilizing snort signatures.

Calico with global alerts provides workload-centric intrusion detection system (IDS), intrusion prevention systems (IPS), and deep packet inspection (DPI) capabilities, and prevents any malicious activities in your AWS environment.

Workload-Centric IDS/IPS

Calico Cloud delivers a workload-based, feature-rich IDS/IPS solution purpose-built for Kubernetes. The IDS solution ingests threat feeds from AlienVault and custom sources to pinpoint the source of malicious activity in case of a breach. It then analyzes and blocks malicious threats based on these feeds.

You can detect when your Kubernetes clusters query DNS for suspicious domains, or communicate with suspicious IPs. You can include GlobalThreatFeed resource to add threat intelligence feeds for tracking and analysis in the user interface (UI). This allows you to proactively determine an issue, and potentially resolve problems before service levels are compromised.

Deep Packet Inspection Using Snort IDS

Calico uses Snort IDS for deep-packet inspection. The Snort IDS engine is a single-click deployment to monitor containers for malicious activity. It runs deep packet inspection (DPI) quickly in response to unusual network traffic in clusters so they can identify potential threats. It’s also critical to run DPI on select workloads to efficiently make use of cluster resources and minimize the impact of false positives.

Custom Snort signatures can be added through a ConfigMap. Once the malicious activity is detected inside container traffic, the alerts with necessary details and Kubernetes context is provided for incident response. Use Snort rule to selects all the ICMP Echo requests and responses from a container.


Calico honeypods are used to detect suspicious activity within a Kubernetes cluster. They are decoys disguised as a sensitive asset deployed at different locations in your Kubernetes cluster.

When resources make attempts to communicate with the honeypods, Calico considers it a suspicious connection and an indication the cluster may be compromised. Calico honeypods can be used to detect attacks such as data exfiltration, resources enumeration, privilege escalation, and denial of service.

Workload-Based WAF

Calico offers the ability to enable a web application firewall as an add-on to the deployment of Envoy as a daemonset. This integration leverages Modsecurity, a popular open-source WAF that provides a core rule set for the most common security risks identified by OWASP, and also enables operators to bring your own rule sets or leverage subscription-based rules. The WAF also enables users to enforce security controls on all east-west traffic.

Unified Security for Multi-Cloud and Hybrid Environments

Calico provides a unified policy framework that works across bare metal, hosts, virtual machines, and containers to enable legacy and modern environments to coexist seamlessly. With Calico, you can manage network security across all Kubernetes clusters with centralized logins, points of control, log management, troubleshooting tools, storage management, compliance reporting, and more.

Further, Calico enables users to create policies in one cluster that reference pods in another cluster using federated identity. Federated services further provide service discovery of remote pods in another cluster. Users can regain control of multi-cluster security through fine-grained controls across endpoints, tiers, and both remote and local microservices.


Calico Cloud provides a web-based UI to visualize all of the Kubernetes and cluster operations.

As shown in below, the Calico dynamic service and threat graph provides the real-time birds-eye view of cluster activity of Kubernetes objects, workload communication, policies status, end points, network sets, flow logs in tabular form, and packetcapture on graph to troubleshoot unwanted activity.


Figure 1 – Dynamic service and threat graph.

The dynamic service and threat graph provides visibility and troubleshooting, providing a point-to-point, topographical representation of workload communication within your cluster. It has a hierarchical navigation at namespaces, nodes, edges, and layer levels, thus making it easy to understand upstream and downstream dependencies with a click.

Logs (flows, DNS, and HTTP) are the foundation of security and observability in Calico. These are filtered when you select a node or edge in the graph.

Security Policy

Calico uses network policy to secure workload communication inside the Kubernetes cluster. Using policies, you control the egress and ingress traffic in your cluster so only the traffic you want to flow is allowed. Calico supports these policies:

  • Calico network policy
  • Calico global network policy
  • Kubernetes policy

Calico uses tiers to provide guardrails for managing security across teams. Policy tiers allow users with more authority to enforce network security policies that take precedence over other teams.

Using policy tiers, Calico enables teams to easily make self-service security policy changes to a cluster without the risk of overriding an existing policy. No central manager or control point is required to create, review, or approve new policies.

Deployment of new microservices along with the creation of necessary security policies is fully-automated, adding speed and predictability to the process.

Calico’s policy tiers also allow teams responsible for different focus areas in a Kubernetes cluster to categorize policies in a predefined priority order and by team function or organizational structure. The priority order takes into account where a team or policy sits within the organization’s hierarchy, enforcing the highest priority policy of the highest priority team first before moving through the remaining policies for that team and eventually moving on to the policies of the next most important team.

Flow logs provide the execution sequence of policies to help identify security gaps and audit trails.


Figure 2 – Calico policy board helps manage tiered policies.

Network sets and global network sets are Calico Cloud resources for defining IP subnetworks/CIDRs, which can be matched by standard label selectors in policy. They are a powerful feature for use/reuse and scaling policy.

Compliance dashboard and reports provide a complete inventory of regulated workloads, along with evidence of enforcement of network controls for these workloads. Additionally, audit reports are available to see changes to any network security controls.


In this post, we reviewed how Tigera’s Calico Cloud can help uncover malicious activity and protect your workloads in Amazon EKS from network-based threats. Calico Cloud offers customers a complete, active security solution to detect, monitor, and strengthen the security and operations of any container-based application.

With Calico on AWS self-managed Kubernetes and EKS, you can monitor any Kubernetes resource failed requests to Kubernetes API server, failed attempt on access management, anonymous access to k8s API server and, service account access by public IP. You can detect the attack and produce a high-value alert with information that enables the team to readily analyze the threat and prevent the attack from propagating.

To try it yourself, register for Calico Cloud in AWS Marketplace.


Tigera – AWS Partner Spotlight

Tigera is an AWS Competency Partner that prevents, detects, troubleshoots, and automatically mitigates exposure risks of security issues in the build, deploy, and runtime stages.

Contact Tigera | Partner Overview | AWS Marketplace