Integration & Automation

Automate security scans on Amazon EKS with Kubescape, AWS CodeBuild, and AWS CodePipeline

As organizations increasingly adopt Amazon Elastic Kubernetes Service (Amazon EKS) to manage their containerized applications, implementing robust security measures and maintaining compliance become critical. The scalable and flexible nature of Amazon EKS has made it a popular choice for businesses seeking to streamline their application deployment and management processes. However, with this adoption comes the need to prioritize security and compliance, protecting sensitive data, infrastructure, and adhering to industry regulations and standards. Security and compliance should be top priorities for any organization, regardless of size or industry. In today’s digital landscape, where security challenges continuously evolve and regulatory requirements become more stringent, robust security measures and compliance are important to address security issues.

Security frameworks provide organizations with a structured approach to meet compliance requirements. By aligning their security practices with these industry-recognized standards, businesses can address potential issues and demonstrate their commitment to protecting sensitive information. Although implementing security measures and maintaining compliance is vital, doing so in a scalable and efficient manner is equally important. As businesses grow and their infrastructure expands, manually managing security checks, scans, and compliance audits can become increasingly complex. Automation streamlines security and compliance processes, enabling consistent and reliable checks across the entire Amazon EKS infrastructure.

In this post, we explore how to automate security scans and compliance checks on Amazon EKS using Kubescape, AWS CodeBuild, and AWS CodePipeline. With these tools, organizations can establish a seamless and scalable security and compliance workflow, continuously monitoring EKS clusters, addressing potential issues, and aligning with industry standards and regulations.

Understanding compliance requirements

For security professionals, achieving expertise in Amazon EKS compliance involves implementing robust identity and access management, network security measures, data protection mechanisms, and comprehensive monitoring and logging. By using automation tools and establishing a continuous compliance program, organizations can streamline compliance efforts, maintain audit readiness, and proactively address emerging issues and regulatory changes. Ultimately, understanding and adhering to Amazon EKS compliance requirements is essential for safeguarding critical infrastructure, validating data privacy, and maintaining a strong security posture in the cloud.

Security frameworks based on NSA (National Security Agency) guidelines, MITRE, Center for Internet Security (CIS-EKS-1.2.0), and NIST provide organizations with a structured approach to meeting security and compliance needs. The NSA guidelines offer best practices for securing systems and networks, and the MITRE framework provides a comprehensive methodology for identifying and addressing challenges. The CIS-EKS-1.2.0 benchmark specifically addresses security best practices for EKS clusters, validating that organizations follow industry-recognized standards. Additionally, the NIST framework provides organizations with a comprehensive security approach that encompasses identifying potential security issues, implementing protective measures, detecting security events, responding to incidents in a timely manner, and establishing recovery processes to mitigate the impact of security issues.

AWS Shared Responsibility Model

The AWS Shared Responsibility Model outlines the division of responsibilities between AWS and its customers when it comes to security and compliance for services like Amazon EKS. This model is based on the principle of shared accountability, where AWS handles the security of the cloud infrastructure, while customers are responsible for securing their workloads and configurations within the cloud environment.

AWS takes care of protecting the underlying infrastructure that powers the services offered in the AWS Cloud. Specifically for Amazon EKS, AWS maintains the security of the Kubernetes control plane, including the control plane nodes and the etcd database. Amazon EKS is certified by multiple compliance programs for regulated and sensitive applications. The effectiveness of the security controls is regularly tested and verified by third-party auditors as part of the AWS compliance programs.

Customers are accountable for the security and compliance of the systems and services they configure and deploy on AWS. In the context of Amazon EKS, customers are responsible for securely deploying, configuring, and managing their workloads within their EKS cluster. This encompasses validating the security of worker nodes, network configurations, access controls, and implementing continuous monitoring and compliance checks. The Shared Responsibility Model emphasizes the collaborative nature of maintaining a secure and compliant environment. Although AWS provides a secure and compliant infrastructure, customers play a crucial role in securing their configurations and workloads running on top of that infrastructure. By fulfilling their respective responsibilities, AWS and its customers can work together to achieve a robust security and compliance posture for containerized applications running on Amazon EKS.

Understanding compliance frameworks from NSA, MITRE, and CIS

Let’s explore the compliance frameworks from NSA, MITRE, and CIS in more detail:

  • NSA (National Security Agency)NSA is a US government agency focused on national security through signals intelligence and cybersecurity. It provides security guidance and cryptographic standards to protect sensitive government data and national security systems. NSA’s guidelines for secure container deployment provide a comprehensive framework for organizations to follow best practices and maintain the security of their containerized environments, including Amazon EKS.
  • MITREMITRE is a nonprofit organization that operates federally funded research and development centers (FFRDCs) to provide technical expertise in various fields, including security. It is known for creating the MITRE framework, a comprehensive knowledge base of adversary tactics and techniques used to improve issue detection strategies. MITRE collaborates with government, industry, and academia to address complex security challenges and advance cybersecurity innovation. Its work helps organizations enhance their ability to identify, prevent, and respond to cyber threats.
  • CIS (Center for Internet Security) CIS is a non-profit organization dedicated to enhancing the cybersecurity readiness and response of public and private sector entities. The CIS Benchmarks are widely recognized as industry-leading best practices for secure configuration of various systems, including Kubernetes clusters. Implementing these benchmarks can significantly harden EKS clusters.

Importance of NSA, MITRE, and CIS for Amazon EKS

NSA, MITRE, and CIS offer the following benefits when used with Amazon EKS:

  • Compliance and regulatory requirements – Adhering to industry standards and best practices, such as those provided by NSA and CIS, is crucial for meeting regulatory requirements and validating data protection and security. Organizations operating in regulated industries or handling sensitive data can use these frameworks to demonstrate compliance and maintain a robust security posture.
  • Risk identification and mitigation – The MITRE framework empowers organizations to proactively identify and mitigate potential issues in their Amazon EKS environments. By understanding the tactics and techniques used by adversaries, security teams can implement effective countermeasures and stay ahead of evolving issues.
  • Hardening and secure configuration – Implementing CIS Benchmarks for secure configuration of EKS clusters is essential for reducing the issues and minimizing unintended access. These benchmarks provide detailed guidelines for configuring various components of the Kubernetes ecosystem, validating a hardened and secure deployment.
  • Continuous monitoring and improvement – Using the frameworks provided by NSA, MITRE, and CIS enables organizations to establish a continuous monitoring and improvement process for their Amazon EKS security posture. Regular assessments and adaptations to evolving issues make sure security measures remain effective and up to date.

Solution overview

As Kubernetes environments increase in complexity, it’s essential to have robust security measures in place to mitigate potential issues and unintended access. Kubescape, an open source tool, emerges as a solution for securing EKS clusters. It empowers security professionals to scan for misconfigurations, identify unintended access, and implement best practices for hardening their Amazon EKS deployments. With Kubescape, organizations can proactively address security concerns, validating the resilience and compliance of their cloud-based applications.

The following diagram illustrates the architecture for automating the security scanning process for EKS clusters to enhance security governance and operational insights.

Architecture diagram

The workflow starts with an end-user triggering CodePipeline, a continuous integration and delivery (CI/CD) service that manages the steps of the security scan. Upon initiation, CodeBuild is called to run a job that handles the execution of the scanning process. During the build phase, Kubescape, an open source security tool, is used to scan the EKS cluster. When the scan is complete, the results are automatically stored in an Amazon Simple Storage Service (Amazon S3) bucket. After the scan, organizations can use the results to understand their security posture, potentially stop deployments if critical issues are detected, and visualize the identified issues from a central location. Additionally, organizations can create issues in a tracking system like Jira to generate tickets for remediation, streamlining the process of addressing identified security concerns.

In the following sections, we provide sample code to automate security scans and compliance checks on your EKS clusters using Kubescape, CodeBuild, and CodePipeline.

Prerequisites

To follow along with this post, you should have an active EKS cluster. Make sure your EKS cluster is set up with the necessary AWS Identity and Access Management (IAM) access configurations.

Additionally, you should have an active CodePipeline workflow ready for your CI/CD workflows with following sample IAM permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Resource": [
        "arn:aws:logs:{REGION}:{ACCOUNT_ID}:log-group:/aws/codebuild/{PROJECT_NAME}",
        "arn:aws:logs:{REGION}:{ACCOUNT_ID}:log-group:/aws/codebuild/{PROJECT_NAME}:*"
      ],
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ]
    },
    {
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::{BUCKET_NAME}*"
      ],
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:GetBucketAcl",
        "s3:GetBucketLocation"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "codebuild:CreateReportGroup",
        "codebuild:CreateReport",
        "codebuild:UpdateReport",
        "codebuild:BatchPutTestCases",
        "codebuild:BatchPutCodeCoverages"
      ],
      "Resource": [
        "arn:aws:codebuild:{REGION}:{ACCOUNT_ID}:report-group/{PROJECT_NAME}-*"
      ]
    },
    {
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:GetBucketVersioning"
      ],
      "Resource": "arn:aws:s3:::{BUCKET_NAME}",
      "Effect": "Allow"
    },
    {
      "Action": [
        "codebuild:BatchGetBuilds",
        "codebuild:StartBuild"
      ],
      "Resource": "arn:aws:codebuild:{REGION}:{ACCOUNT_ID}:report-group/{PROJECT_NAME}",
      "Effect": "Allow"
    },
    {
      "Action": [
        "eks:DescribeCluster",
        "eks:DescribeNodegroup"
      ],
      "Resource": "arn:aws:eks:{REGION}:{ACCOUNT_ID}:cluster/{CLUSTER_NAME}",
      "Effect": "Allow"
    }
  ]
}

Automate security scans and compliance checks

The following is a sample buildspec file that you can use to efficiently set up and install Kubescape within your CodeBuild project:

version: 0.2
phases:
  install:
    runtime-versions:
      python: 3.8
    commands:
      - echo "====== Kubescape Installation ======"
      - curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
  build:
    commands:
      - kubescape list frameworks
      - echo "====== Kubescape Scan - CIS Benchmark Framework ======"
      - kubescape scan framework cis-eks-t1.2.0
      - echo -e "\n\n====== Kubescape Scan - NSA Framework ======\n"
      - kubescape scan framework nsa
      - echo -e "\n\n====== Kubescape Scan - MITRE Framework ======\n"
      - kubescape scan framework mitre
      - echo -e "\n\n====== Kubescape Scan - Specific Namespaces development ======\n"
      - kubescape scan --include-namespaces development
  post_build:
    commands:
artifacts:
  files:
      - '**/*'

The following command instructs Kubescape to perform a security scan on an EKS cluster using the CIS Kubernetes Benchmark version 1.2.0. This benchmark provides a set of best practices and security guidelines specifically tailored for Kubernetes, validating that the cluster is configured securely according to industry standards.

$ kubescape scan framework cis-eks-t1.2.0

The following is an example of the expected output:

──────────────────────────────────────────────────
Framework scanned: cis-eks-t1.2.0

┌─────────────────┬────┐
│        Controls │ 53 │
│          Passed │ 4  │
│          Failed │ 24 │
│ Action Required │ 25 │
└─────────────────┴────┘

Failed resources by severity:

┌──────────┬────┐
│ Critical │ 0  │
│     High │ 23 │
│   Medium │ 22 │
│      Low │ 4  │
└──────────┴────┘

The following command instructs Kubescape to perform a security scan on your Kubernetes cluster using the NSA framework. This framework provides security guidelines and best practices specifically recommended by the NSA for securing Kubernetes clusters, focusing on hardening configurations to prevent potential unintended access.

$ kubescape scan framework nsa

The following is an example of the expected output:

──────────────────────────────────────────────────
Framework scanned: NSA
┌─────────────────┬────┐
│        Controls │ 25 │
│          Passed │ 9  │
│          Failed │ 11 │
│ Action Required │ 5  │
└─────────────────┴────┘
Failed resources by severity:
┌──────────┬────┐
│ Critical │ 0  │
│     High │ 3  │
│   Medium │ 14 │
│      Low │ 2  │
└──────────┴────┘

The following command directs Kubescape to perform a security scan on your Kubernetes cluster using the MITRE framework. This framework is based on the MITRE ATT&CK, which categorizes tactics and techniques used by adversaries during security events. The scan helps identify potential unintended access and security weaknesses in your cluster by comparing it against known issues patterns and techniques, allowing for improved security posture.

$ kubescape scan framework mitre

The following is an example of the expected output:

──────────────────────────────────────────────────
Framework scanned: MITRE
┌─────────────────┬────┐
│        Controls │ 27 │
│          Passed │ 11 │
│          Failed │ 11 │
│ Action Required │ 5  │
└─────────────────┴────┘
Failed resources by severity:
┌──────────┬────┐
│ Critical │ 0  │
│     High │ 1  │
│   Medium │ 10 │
│      Low │ 3  │
└──────────┴────┘

More security best practices

Beyond the basics, several good practices can further improve the security of your Amazon EKS environment. These include implementing IAM roles for service accounts (IRSA) for least privilege access control, integrating AWS Secrets Manager with AWS Secrets and Configuration Provider (ASCP) for secure handling of sensitive data, enabling Amazon GuardDuty for proactive threat detection, enforcing Pod Security Standards (PSS), and using Kyverno policies to maintain secure and consistent configurations across the cluster.

One of the fundamental principles of securing your EKS cluster is implementing least privilege access. By using role-based access control (RBAC), you can limit access to resources and namespaces within your cluster, validating that only authorized users and services have the necessary permissions. This approach minimizes the issues of unintended access and potential misuse of resources.

Implementing IRSA is a powerful technique that simplifies authentication and authorization within your EKS cluster. IRSA allows you to associate an IAM role with a Kubernetes service account, granting fine-grained permissions to your workloads. This approach reduces the need for sharing credentials across multiple pods, reducing the issues of credential exposure. Enabling IRSA is straightforward and provides a secure and scalable authentication mechanism for your EKS cluster.

For more information on fine-grained IAM roles for service accounts, see Introducing fine-grained IAM roles for service accounts.

Using Secrets Manager in combination with ASCP is another critical step in securing your EKS cluster. Secrets Manager provides a secure and centralized service that allows you to store and manage sensitive data, such as database credentials, API keys, and other confidential information. By integrating Secrets Manager with ASCP in your EKS cluster, you can make sure your applications can access sensitive data securely and efficiently, without exposing it in plain text or storing it in unrestricted locations. This integration enhances both security and configuration management across your cloud infrastructure.

For more details on using Secrets Manager and ASCP in Amazon EKS, see How to use AWS Secrets & Configuration Provider with your Kubernetes Secrets Store CSI driver.

Enabling GuardDuty is crucial for threat detection and monitoring within your Amazon EKS environment. GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and unintended behavior. By enabling GuardDuty Protection for your EKS cluster, you can receive real-time alerts and take immediate action to mitigate potential issues, reducing the issues of data and unintended access.

For more details on detecting security issues in EKS clusters with GuardDuty, see How to detect security issues in Amazon EKS clusters using Amazon GuardDuty – Part 1. For further insights on investigating and addressing security issues using Amazon Detective, see Part 2.

Enabling Pod Security Standards (PSS) in Amazon EKS is essential for enforcing consistent security policies across your Kubernetes environment. PSS helps prevent the deployment of insecure or misconfigured pods, reducing the issues of unintended access. It restricts risky behaviors like running containers as root or allowing privileged escalation, validating only secure workloads are deployed. PSS also helps organizations meet compliance requirements by aligning with security best practices. As Amazon EKS environments grow, it automates the enforcement of security policies, simplifying management.

For more details on how to enable PSS, see Implementing Pod Security Standards in Amazon EKS.

Implementing Kyverno Policies is another powerful way to secure your EKS cluster. Kyverno is a Kubernetes policy engine that allows you to define and enforce policies across your cluster. With Kyverno, you can make sure your workloads adhere to best practices, comply with security standards, and maintain a consistent configuration throughout their lifecycle. By implementing Kyverno policies, you can prevent misconfigurations, enforce resource quotas, and restrict access to sensitive resources, enhancing the overall security posture of your EKS cluster.

For more details on managing pod security with Kyverno on Amazon EKS, see Managing Pod Security on Amazon EKS with Kyverno.

Conclusion

In this post, we discussed how to automate security scans and compliance checks on your EKS clusters using Kubescape, CodeBuild, and CodePipeline. We also covered best practices that can help protect applications and data on your EKS cluster from potential security risks. Security is an ongoing process, and it’s essential to regularly review and update your security measures to stay ahead of emerging security risks and unintended access.

If you have feedback about this blog post, use the Comments section on this page.

About the authors

Aniket DekateAniket Dekate is a Cloud DevOps Consultant. who specializes in cloud infrastructure, automation, containerization, cloud-native architectures, and generative AI applications. With a background in development and product engineering, he focuses on building resilient, scalable, and reliable cloud-native architectures, particularly in the IOT, finance, and security domains. Outside of work, he enjoys playing cricket, badminton and table tennis.

Ishwar ChauthaiwaleIshwar Chauthaiwale is a rising star in the Cloud and DevOps domain, with 7.5 years of valuable experience under his belt. As a young professional, he has quickly established himself as an expert in automation, migration, and modernization strategies for cloud environments. Ishwar’s technical acumen spans across various cloud platforms, allowing him to guide organisations through complex digital transformations with confidence and precision. His passion for innovative solutions and cutting-edge technologies has made him a go-to resource for companies looking to optimize their infrastructure and streamline their processes. Beyond his professional endeavors, Ishwar is committed to continuous learning and often participates in tech conferences and workshops to stay at the forefront of industry trends. He also dedicates time to mentoring aspiring cloud professionals, sharing his knowledge and experiences to inspire the next generation of IT experts.