Securing AWS App Mesh With Aqua
We’re excited to be launch partners for AWS App Mesh, officially announced today at the Santa Clara AWS Summit. Aqua provides fine-grained protection to microservices-based applications that use AWS App Mesh, by ensuring that the microservices infrastructure conforms to the organization’s security policy, and by providing visibility and control over App Mesh network traffic.
Do Your Services “Mesh”?
Service meshes have been getting a lot of attention this past year, with Linkerd and Istio being the most well-known open source options. The benefits, explained in detail in our introduction to Istio blog, are numerous. They allow developers and SREs to set up networking rules between microservices, automatically receive telemetry, and facilitate red/black and blue/green deployments.
Using sidecar proxies abstracts the complexity of the underlying infrastructure from the application logic. So, for developers, services meshes are a great way to express the networking needs of their applications, while operations enjoy better monitoring, automated resilience, and easier migrations and upgrades.
Introducing AWS App Mesh
As anyone using AWS knows, one of the benefits you get as an AWS user is the wealth of highly integrated products that work seamlessly with each other. Sure, it’s IaaS and you can bring your own database, web server, logger, whatever… but the equivalents that AWS provides are easier to deploy and manage, and are tightly integrated with your AWS account’s IAM roles, compute resources, S3 buckets, and so forth.
Enter AWS App Mesh. It leverages Envoy, the proxy side-car container also leveraged by Istio, so in that sense will be interoperable with clusters that already have Envoy deployed in them. However, one key difference is that App Mesh is an AWS managed service that simplifies configuration and operational complexities that a self-deployed service mesh like Istio would entail.
AWS App Mesh provides traffic routing controls (as you’d expect), and observability using AWS services such as X-Ray and CloudWatch, which is also possible using integrations with external tools. It can automatically reroute traffic when there are failures, load issues, or for A/B testing.
Benefits of AWS App Mesh include:
- Reducing troubleshooting time, leveraging end-to-end visibility into service-level logs, metrics and traces;
- Automating the rollout of new code by configuring new routings, facilitating blue/green deployments;
- Better resilience with custom routing rules, enabling high availability, fault tolerance, and fault testing.
How Aqua Enhances AWS App Mesh Security
Deploying Aqua in an App Mesh cluster provides fine-grained infrastructure protection. Aqua provides security controls that ensure that microservices using App Mesh are deployed securely and do not violate security policies. Aqua provides a full suite of capabilities that ensure a secure development-to-production process so that only trusted images will be deployed. It monitors for vulnerable containers, prevents image-container drift, and protects the host/node itself. Secrets are protected in transit and at rest, and are only accessible to the containers that need them. Whitelisting behavioral profiles ensure that containers cannot execute processes, access files, mount volumes, or open network connections that they’re not supposed to.
Aqua’s infrastructure protection can be expanded to cover App Mesh components, such as the Envoy proxy or virtual routes. Using Aqua’s vulnerability and malware scanning, users can verify that the Envoy image used to build the sidecar-proxy doesn’t contain vulnerabilities, and that the cluster nodes aren’t contaminated by malware.
Aqua also enables users to gain visibility into the virtual routings and validate that they don’t violate the security policy or create potential risks (e.g. outgoing traffic that accesses bad-reputation IPs or URLs).
All the above ensures an operationally secure environment for App Mesh deployments, so that even as new services are deployed or added to the App Mesh deployment, they will be subject to the same security policy.
An interesting angle in the overall App Mesh security posture relates to the network policy configuration. Unlike “classic” container deployments that rely on network plugins (e.g. Calico, Flannel) to set up cluster networking, in App Mesh networking is managed by the virtual router. Consequently, there’s a need for a network security tool that will verify that the internal routings comply with the desired network policy. Even more important than internal networking, there’s an increased need to enforce security policies on traffic that goes to external destinations. The proliferation of attempts to abuse resources for cryptocurrency mining, for example, requires strict control on outbound traffic leaving the App Mesh cluster.
Summary: The Future is Meshed
Service meshes provide significant benefits for large scale microservices deployments, by adding an independent layer (container) that provides visibility, security, monitoring, and network efficiency tooling.
AWS App Mesh is a new managed service mesh which frees DevOps team from managing and operating service mesh components, simplifying its deployment and configurations. Aqua security can be easily deployed into the App Mesh nodes to provide complementary security controls. By using the Aqua Enforcers, App Mesh users can gain visibility into their virtual routes and configure their network policies (inside and outside the App Mesh virtual domain), protect the App Mesh infrastructure, and prevent malicious exploitations.