Securing Kubernetes Deployments on Amazon EKS with Aqua

Securing Kubernetes Deployments on Amazon EKS with Aqua

AWS made its Elastic Container Services for Kubernetes (EKS) generally available today. We at Aqua had access to the preview version for some time, which allowed us to ensure that our container security platform works with EKS to provide its full spectrum of runtime protection capabilities. 

The integration of Aqua with EKS provides a seamless way to enforce compliance and security policies on applications running on EKS clusters: Preventing unapproved images from being deployed, enforcing runtime policy controls on containers and pods, ensuring that the cluster nodes are properly configured against the CIS Kubernetes benchmark, and more.

Here’s a quick rundown of what using securing Kubernetes clusters on Amazon EKS looks like.

What is Amazon EKS? How is is different from “bring your own” Kubernetes?

EKS is a managed Kubernetes service. It’s completely based on upstream Kubernetes, so it should be familiar to anyone already using Kubernetes. It provides transparent integration with other AWS services like IAM, and also removes much of the hassle of setting up your own K8s cluster, configuring it properly, etc.

From a security standpoint, the main difference is that as a managed service, the K8s cluster is managed by AWS. The user doesn’t manage the master node, only worker nodes, which impacts how you would implement security controls.

Deploying Aqua on EKS

As a first step, we deploy the Aqua containers on an EKS cluster. Typically we do this using a daemonset. Below you can see how the Aqua services are deployed alongside application and system services:
Kubernetes Security on EKS

Looking inside a node, we see how they are deployed as pods:Kubernetes Security on AWS EKS

In the Aqua Command Center, we can see all the deployed containers as they’re deployed on the node, and their statuses:

Kubernetes Security on AWS EKS
Additionally, in the Enforcers screen, we can see that Aqua Enforcers have been deployed on the cluster, and on 3 worker nodes:

Get a Demo

Preventing Unapproved Images from Running

Aqua uses Image Assurance policies to determine whether images will be allowed to run - which the Aqua Enforcer enforces.

In this instance, we created a CVSS score threshold, so an image containing any known vulnerabilities whose score exceeds this threshold will be disallowed:
Kubernetes security EKS image assurance

Unfortunately, in this instance we used an older Redis image that has many vulnerabilities, including high severity ones that score above 6, so it is listed as disallowed::

Image Assurance kubernetes security

As EKS tries to run the vulnerable Redis image, it is blocked by the Aqua Enforcer:Kubernetes Security

Blocking Unauthorized Changes in Runtime

Another cool feature of the Aqua runtime policy that is deceptively simple to use, but has a lot of technology behind it, is what we call Drift Prevention:

Kubernetes security AWS EKS
Essentially, by checking these boxes you can enforce the immutability of your environment by preventing any changes to containers compared to their originating images. Aqua creates a precise cryptographic digest of the image when it's built, and then compares the contents of each layer of the image to the container resources. Any change to those resources will be prevented.

Let’s see what happens when we try and Bump Versions of our Redis container instead of updating the image at the source:

Kubernetes security AWS EKS

We’ve been denied, and we can view the full details of this event in the Aqua audit screen:

Kubernetes Security AWS EKS

So there you have it.

Securing workloads on Amazon EKS is done in an almost identical fashion to other Kubernetes deployments - a testament to how well AWS managed to keep EKS compatible with upstream Kubernetes. Great news for anyone considering the convenience it offers in running K8s clusters, and especially if you’re already running other workloads on AWS.

You can read more about how we secure the various AWS container services on our container security on AWS page.

Get a Demo

Rani Osnat

Rani is the SVP of Strategy at Aqua. Rani has worked in enterprise software companies more than 25 years, spanning project management, product management and marketing, including a decade as VP of marketing for innovative startups in the cyber-security and cloud arenas. Previously Rani was also a management consultant in the London office of Booz & Co. He holds an MBA from INSEAD in Fontainebleau, France. Rani is an avid wine geek, and a slightly less avid painter and electronic music composer.