Tag: security

How Snap Inc. secures its services with Amazon EKS

How Snap Inc. secures its services with Amazon EKS

Introduction Snapchat is an app that hundreds of millions of people around the world use to communicate with their close friends. The app is powered by microservice architectures deployed in Amazon Elastic Kubernetes Service (Amazon EKS) and datastores such as Amazon CloudFront, Amazon Simple Storage Service (Amazon S3), Amazon DynamoDB, and Amazon ElastiCache. This post […]

Securing API endpoints using Amazon API Gateway and Amazon VPC Lattice

Introduction In microservices architectures, teams often build and manage internal applications that they expose as private API endpoints and publicly expose those endpoints through a centralized API gateway where security protections are centrally managed. These API endpoints allow both internal and external users to leverage the functionality of those applications. The separation of concerns between […]

Using SBOM to find vulnerable container images running on Amazon EKS clusters

Introduction When you purchase a packaged food item in your local grocery store, you probably check the list of ingredients written to understand what’s inside and make sure you aren’t consuming ingredients inadvertently that you don’t want to or are known to have adverse health effects. Do you think in a similar way when you […]

Announcing additional Linux controls for Amazon ECS tasks on AWS Fargate

Introduction An Amazon Elastic Container Service (Amazon ECS) task is a number of co-located containers that are scheduled on to AWS Fargate or an Amazon EC2 container instance. Containers use Linux namespaces to provide workload isolation—and with namespaces—even though containers are scheduled together in an Amazon ECS task, they’re still isolated from each other and […]

Shift left to secure your container supply chain

Introduction When we talk about securing container solutions, most of the focus is on securing the orchestrator or the infrastructure that the orchestrator runs on. However, at the heart of your container solutions are the containers themselves. In this post, we show you how we ensured that before we even push a container into our […]

How to establish private connectivity for ECS Anywhere

Introduction In 2014, AWS announced Amazon Elastic Container Service (Amazon ECS), a fully managed service that helps you orchestrate, deploy, and scale containerized applications. Although Amazon ECS serves a wide variety of customers from different segments, sizes, and verticals, there are cases where the applications need to run locally. For example, this often occurs in […]

Validating Amazon EKS optimized Bottlerocket AMI against the CIS Benchmark

Introduction As Kubernetes adoption grows, many organizations are choosing it as their platform to build and host their modern and secure applications. Security is one of the primary design criteria for many workloads, especially those dealing with sensitive data such as financial data processing. These workloads have a stringent requirement to adhere to various security […]

Implementing Pod Security Standards in Amazon EKS

Implementing Pod Security Standards in Amazon EKS

Introduction Securely adopting Kubernetes includes preventing unwanted changes to clusters. Unwanted changes can disrupt cluster operations and even compromise cluster integrity. Introducing pods that lack correct security configurations is an example of an unwanted cluster change. To control pod security, Kubernetes provided Pod Security Policy (PSP) resources. PSPs specify a set of security settings that […]

Secure AWS Bottlerocket deployments on Amazon EKS with KubeArmor

Secure Bottlerocket deployments on Amazon EKS with KubeArmor

Introduction Bottlerocket is a security focused operating system (OS) image that provides out-of-the-box security options to protect host or worker nodes. While Bottlerocket is useful, the security of the pods and the containers is still the responsibility of the application developer or provider. KubeArmor, a CNCF (Cloud Native Computing Foundation) sandbox project, is a runtime […]

Understanding and Cost Optimizing Amazon EKS Control Plane Logs

Amazon Elastic Kubernetes Service (Amazon EKS) is a managed container service that provides a highly available single-tenant control plane to run and scale Kubernetes applications in the cloud or on-premises. Logs are an important way to debug problems, audit cluster activities, and monitor the health of your application. Kubernetes logging can be divided into control […]