Securing Kubernetes Everywhere with EKS Anywhere
AWS has taken a major step toward reducing the management complexity of Kubernetes and simplifying deployment across on-premises data centers and public cloud with the general availability of EKS Anywhere. Aqua has worked to ensure that customers can take advantage of EKS Anywhere with holistic Kubernetes-native security and advanced Kubernetes runtime protection for the applications deployed on managed clusters.
The EKS managed Kubernetes service reduces the complexity of maintaining Kubernetes environments, and now supports more flexibility for customers to decide where to run their Kubernetes workloads based on their business needs, regulatory or data privacy requirements, and performance objectives.
In support of the GA release, we have validated our controls to enforce and monitor comprehensive security and assurance policies as customers expand their Kubernetes footprint, provide consolidated visibility into risks across their Kubernetes clusters and ensure protection at runtime for non-compliant workloads.
Aqua helps DevOps and security teams to centrally define how to protect and ensure compliance for Kubernetes infrastructure and workloads, and then enforce, maintain, monitor, and update those policies in hybrid deployments.
In turn, security teams can leverage visibility into all clusters and the workloads running them on them with our Risk Explorer functionality for visualizing and quickly assessing risk mitigation priorities – supplemented with ongoing threat and vulnerability updates from our Team Nautilus research team.
Aqua’s robust open source portfolio, including kube-bench, kube-hunter, Starboard, and Trivy, can help DevOps teams establish consistent Kubernetes-native security toolkits for on-premises development and then easily migrate to production on the cloud using commercial software.
Why EKS Anywhere?
According to Gartner, more than 85% of global organizations will be running containerized applications in production by 2025, which is a significant increase from fewer than 35% in 2019. Increasingly, the orchestration platform of choice for these containerized applications is Kubernetes.
As enterprises adopt Kubernetes as the platform for cloud native application orchestration, the value of a managed Kubernetes service such as Amazon EKS quickly becomes apparent in reducing the amount of time and expertise required to manage Kubernetes clusters.
EKS has addressed that need for customers deploying in the public cloud, but enterprises may prefer to deploy their Kubernetes in on-premises data centers – and still want to take advantage of a managed service. EKS Anywhere can also serve as a valuable tool to enable workload migration to the cloud.
In addition to data sovereignty concerns, enterprises will want to deploy applications in on-premises data centers for lower latency or to maximize their investments in their data center infrastructure.
Built on EKS-Distro components (for which we announced support in December last year), EKS Anywhere will initially support clusters running on VMware vSphere, with bare metal support on the roadmap.
Advanced Kubernetes security for scale and automation
EKS Anywhere tooling helps to create the EKS clusters, configure the operating environment, update software, and handle backup and recovery, but customers are still responsible under the cloud services shared responsibility model for securing the applications that run on EKS and their implementations.
Although EKS Anywhere can make management of the clusters less challenging, the question of securing how Kubernetes namespaces, pods, and clusters communicate and access shared resources still looms. Plus, ensuring that platform and application teams have consistency and full visibility across environments for configurations and settings to meet internal policies and security best practices can be a challenge.
Aqua’s Kubernetes Security solution takes into account the full lifecycle of applications running on Kubernetes, securing them at both the workload and infrastructure levels. It leverages native Kubernetes capabilities such as admission controllers where it makes the most sense and augments them with more stringent controls and policy management made for security teams with no Kubernetes expertise required.
For security teams with new responsibility for Kubernetes infrastructure and workloads, getting up to speed in understanding the threat landscape of Kubernetes can also be a challenge.
This is where Aqua comes in with our comprehensive set of Kubernetes native capabilities and Kubernetes Security Posture Management (KSPM), which allows for centralized management of EKS clusters, consistent assurance policies, and the ability to block non-compliant EKS workloads via our Kube Enforcer capabilities, whether on-premises or in the public cloud.
These capabilities incorporate functionality from Aqua’s open source projects for cluster pen testing, CIS benchmarking validation, and Kubernetes security risk reporting that have quickly become industry standards as well as ongoing updates from the Team Nautilus research team.
Aqua provides a comprehensive Kubernetes-native platform for securing EKS deployments and applications built and deployed on them:
Maintain Kubernetes Security Posture Management (KSPM) for OS hardening, config security & compliance (including CIS Benchmarks and best practices) via kube-bench
Eliminate misconfiguration risks & block non-compliant images at the outset with OPA-based Assurance Policies and Admission Controllers
Ensure least-privilege access for DevOps with Kubernetes Roles & Subjects Assessment
Enforce EKS and EKS Anywhere workload runtime protection with Kube Enforcer, integrated Starboard continuous scanning and Drift Prevention for container immutability
Maintain dynamic visibility for DevSecOps into active Kubernetes clusters and associated risks with Aqua Risk Explorer
Integrate with Aqua AWS Cloud Watch for EKS logging, forensics and audits, including Kubernetes-native visibility runtime policy enforcement
Leverage AWS CloudFormation Public Registry to deploy Aqua Kube Enforcers after EKS cluster creation to secure it before any apps are deployed
Aqua’s pioneering approach to effectively tackle misconfigurations, obscured visibility, security best practice knowledge gaps, enforcement of least privilege access, and deliver the most accurate evaluation of workload security compliance will help enterprises manage and tackle the risks of their cloud native environments – wherever Kubernetes infrastructure is deployed.