SlideShare a Scribd company logo

AWS EKS Security Best Practices

Download as PPTX, PDF
S
StackRox

The document outlines best practices for securing Amazon Elastic Kubernetes Service (EKS), emphasizing the importance of proper cluster design, secure container image handling, and pod runtime security. Recommended strategies include using private subnets, scanning images for vulnerabilities, implementing role-based access control, and monitoring cluster security. It also advises against certain practices, such as neglecting AWS security protocols and installing the Kubernetes dashboard.

Technology
1 of 11
Downloaded 15 times
1
2
3
4
5
6
7
8
9
10
11
EKS Security Best Practices Getting the Most from Amazon Elastic Kubernetes Service
2©2019 StackRox. All rights reserved. AMAZO N EK S Amazon Elastic Kubernetes Service (Amazon EKS) makes it easy to deploy, manage, and scale containerized applications using Kubernetes on AWS.
3©2019 StackRox. All rights reserved. What is Kubernetes? • Open-sourceContainer Workload Orchestrator • Design by Google based on their internal deployment practices • Workloads of “pods” containing one or more Docker containers • Manages starting/restarting/scaling workloads • Controllers allow for customized behaviors • Security management capabilities exist but generally not on by default
4©2019 StackRox. All rights reserved. EKS Cluster Design Considerations EC2VPC Layout • Subnets across three+ Availability Zones • Private subnets + NAT Gateway(s) for worker nodes • Public subnets for ingress from Internet High Availability • EKS creates redundant control plane across three Availability Zones • User-created node groups should be across multipleAvailability Zones
5©2019 StackRox. All rights reserved. EKS Cluster Networking AWSVPC CNI • EC2 security groups for traffic control • Firewall controls cannot be applied at deployment or namespace level • Does NOT support Kubernetes Network Policies • Not cloud portable • Not suitable for multi-tenant cluster network segregation Calico • Deploys alongside AWSVPC CNI • Install at any time • Full Kubernetes Network Policy support • Supported on all(?) Kubernetes providers • Very good controls for multi-tenant cluster network segregation
6©2019 StackRox. All rights reserved. Secure Container Images EC2VPC Layout • Subnets across three+ Availability Zones • Private subnets + NAT Gateway(s) for worker nodes • Public subnets for ingress from Internet High Availability • EKS creates redundant control plane across three Availability Zones • User-created node groups should be across multipleAvailability Zones
7©2019 StackRox. All rights reserved. Secure Container Images BuildTime • Start with a current, secure base image • Use separate build and runtime images • Don’t install unneeded software on the runtime image • Use an image scanner at build time and fail builds with flaws Third-Party Containers • Scan before deploying to production • Keep up-to-date • Use a Kubernetes admission controller to reject pods with insecure images • If necessary, build custom image to control content
8©2019 StackRox. All rights reserved. Pod Runtime Security • Namespaces • Kubernetes Role-Based Access Control • Principle of Least Privilege • Roles instead of ClusterRoles, RoleBindings instead of ClusterRoleBindings • Use Network Policies (requiresCalico CNI) • Limit Container Runtime Privileges • Service Account for each application • Use PodSecurityPolicy resources to enforce Principle of Least Privilege • Protect EC2 Instance Role Credentials • kube2iam or Network Policies
9©2019 StackRox. All rights reserved. Additional Best Practices Do the following: • Monitor security of clusters and their workloads • Follow all Helm security practices for tillerd • Make Kubernetes API endpoint private, if possible • Keep all resource manifests for each deployment together • Deploy with identical RBAC, Network Policies, etc., in staging before going to production Avoid the following: • Install the Kubernetes dashboard • NeglectAWS and EC2 security best practices
10©2019 StackRox. All rights reserved. Get a free trial of the StackRox Kubernetes Security Platform today! Visit StackRox.com
11©2019 StackRox. All rights reserved. TH AN K YO U

More Related Content

PPTX
AWS EKS: Amazon Manages Kubernetes
Philipp Koch
 
PDF
Ultimate kubernetes platform on aws with eks
armincoralic
 
PDF
Introduction to EKS and eksctl
Weaveworks
 
PPTX
Kubernetes on AWS => EKS || CNCF Meetup Zurich, Feb 2019
Gerd König
 
PPTX
Docker best practices
Philipp Koch
 
PDF
Kubernetes On AWS | AWS Kubernetes Tutorial | AWS EKS Tutorial | AWS Training...
Edureka!
 
PDF
Amazon EKS - Aws community day bengaluru 2019
Akash Agrawal
 
PPTX
Eks and fargate
Asaf Abres
 
AWS EKS: Amazon Manages Kubernetes
Philipp Koch
 
Ultimate kubernetes platform on aws with eks
armincoralic
 
Introduction to EKS and eksctl
Weaveworks
 
Kubernetes on AWS => EKS || CNCF Meetup Zurich, Feb 2019
Gerd König
 
Docker best practices
Philipp Koch
 
Kubernetes On AWS | AWS Kubernetes Tutorial | AWS EKS Tutorial | AWS Training...
Edureka!
 
Amazon EKS - Aws community day bengaluru 2019
Akash Agrawal
 
Eks and fargate
Asaf Abres
 

What's hot (15)

PPTX
Amazon EKS Deep Dive
Andrzej Komarnicki
 
PPTX
Amazon EKS: Getting Started
Tanya Seno
 
PDF
AWS ECS vs EKS
Norberto Enomoto
 
PDF
Getting Started on Amazon EKS
Matthew Barlocker
 
PDF
Containers Meetup (AWS+CNCF) Milano Jan 15th 2020
Massimo Ferre'
 
PDF
Elastic Kubernetes Services (EKS)
sriram_rajan
 
PPTX
Advanced workload scheduling for containers on AWS
Nathan Peck
 
PDF
Docker Paris #29
Julien SIMON
 
PDF
Amazon EKS Managed Kubernetes Cluster
kloia
 
PDF
AWS Container services
Aleksandr Maklakov
 
PDF
Hands-on with AWS IoT
Julien SIMON
 
PDF
Kubernetes on AWS gone wild
Christian Jantz
 
PPTX
Moving Viadeo to AWS (2015)
Julien SIMON
 
PDF
Running Docker clusters on AWS (June 2016)
Julien SIMON
 
ODP
Hybris install telco accelerators on aws-ec2
Venugopal Gummadala
 
Amazon EKS Deep Dive
Andrzej Komarnicki
 
Amazon EKS: Getting Started
Tanya Seno
 
AWS ECS vs EKS
Norberto Enomoto
 
Getting Started on Amazon EKS
Matthew Barlocker
 
Containers Meetup (AWS+CNCF) Milano Jan 15th 2020
Massimo Ferre'
 
Elastic Kubernetes Services (EKS)
sriram_rajan
 
Advanced workload scheduling for containers on AWS
Nathan Peck
 
Docker Paris #29
Julien SIMON
 
Amazon EKS Managed Kubernetes Cluster
kloia
 
AWS Container services
Aleksandr Maklakov
 
Hands-on with AWS IoT
Julien SIMON
 
Kubernetes on AWS gone wild
Christian Jantz
 
Moving Viadeo to AWS (2015)
Julien SIMON
 
Running Docker clusters on AWS (June 2016)
Julien SIMON
 
Hybris install telco accelerators on aws-ec2
Venugopal Gummadala
 
Ad

Similar to AWS EKS Security Best Practices (20)

PPTX
EKS security best practices
John Varghese
 
PDF
EKS Workshop
AWS Germany
 
PDF
Operationalizing Amazon EKS
Jim Bugwadia
 
PPTX
Kubernetes security with AWS
Kasun Madura Rathnayaka
 
PDF
kubernetes on awsjourneryssdddddddddddddd
RubyMallah
 
PPTX
Meetup CNCF Torino - Amazon EKS March 29th 2019
Massimo Ferre'
 
PDF
TechDays Finland 2020: Best practices of securing web applications running on...
Karl Ots
 
PPTX
Kubernetes-Fundamentals.pptx
satish642065
 
PPTX
Amazon Elastic Container Service for Kubernetes (Amazon EKS) I AWS Dev Day 2018
AWS Germany
 
PDF
From Zero to Production with Amazon EKS Blueprints for Terraform
Tal Hibner
 
PDF
Trusted Application Delivery: Achieving Ultimate Security
Weaveworks
 
PDF
Builders' Day- Mastering Kubernetes on AWS
Amazon Web Services LATAM
 
PDF
Amazon Elastic Kubernetes Service (EKS) From Zero to Day 1
AWS User Group - Thailand
 
PDF
Max Körbächer - AWS EKS and beyond – master your Kubernetes deployment on AWS...
Codemotion
 
PDF
Max Körbächer - AWS EKS and beyond master your Kubernetes deployment on AWS -...
Codemotion
 
PDF
게임 고객사를 위한 ‘AWS 컨테이너 교육’ 자료 - 유재석 솔루션즈 아키텍트, AWS :: Gaming Immersion Day 201...
Amazon Web Services Korea
 
PDF
Consolidating Infrastructure with Azure Kubernetes Service
Eng Teong Cheah
 
PPTX
Security Practices in Kubernetes
Fibonalabs
 
PDF
Introduction to EKS (AWS User Group Slovakia)
Vladimir Simek
 
PDF
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
EKS security best practices
John Varghese
 
EKS Workshop
AWS Germany
 
Operationalizing Amazon EKS
Jim Bugwadia
 
Kubernetes security with AWS
Kasun Madura Rathnayaka
 
kubernetes on awsjourneryssdddddddddddddd
RubyMallah
 
Meetup CNCF Torino - Amazon EKS March 29th 2019
Massimo Ferre'
 
TechDays Finland 2020: Best practices of securing web applications running on...
Karl Ots
 
Kubernetes-Fundamentals.pptx
satish642065
 
Amazon Elastic Container Service for Kubernetes (Amazon EKS) I AWS Dev Day 2018
AWS Germany
 
From Zero to Production with Amazon EKS Blueprints for Terraform
Tal Hibner
 
Trusted Application Delivery: Achieving Ultimate Security
Weaveworks
 
Builders' Day- Mastering Kubernetes on AWS
Amazon Web Services LATAM
 
Amazon Elastic Kubernetes Service (EKS) From Zero to Day 1
AWS User Group - Thailand
 
Max Körbächer - AWS EKS and beyond – master your Kubernetes deployment on AWS...
Codemotion
 
Max Körbächer - AWS EKS and beyond master your Kubernetes deployment on AWS -...
Codemotion
 
게임 고객사를 위한 ‘AWS 컨테이너 교육’ 자료 - 유재석 솔루션즈 아키텍트, AWS :: Gaming Immersion Day 201...
Amazon Web Services Korea
 
Consolidating Infrastructure with Azure Kubernetes Service
Eng Teong Cheah
 
Security Practices in Kubernetes
Fibonalabs
 
Introduction to EKS (AWS User Group Slovakia)
Vladimir Simek
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
Ad

Recently uploaded (20)

PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Approach and Philosophy of On baking technology
30anthuong17
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Teaching material agriculture food technology
LiaRayya
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
KodekX | Application Modernization Development
KodekX
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Cloud computing and distributed systems.
kkkkkhan
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 

AWS EKS Security Best Practices

  • 1. EKS Security Best Practices Getting the Most from Amazon Elastic Kubernetes Service
  • 2. 2©2019 StackRox. All rights reserved. AMAZO N EK S Amazon Elastic Kubernetes Service (Amazon EKS) makes it easy to deploy, manage, and scale containerized applications using Kubernetes on AWS.
  • 3. 3©2019 StackRox. All rights reserved. What is Kubernetes? • Open-sourceContainer Workload Orchestrator • Design by Google based on their internal deployment practices • Workloads of “pods” containing one or more Docker containers • Manages starting/restarting/scaling workloads • Controllers allow for customized behaviors • Security management capabilities exist but generally not on by default
  • 4. 4©2019 StackRox. All rights reserved. EKS Cluster Design Considerations EC2VPC Layout • Subnets across three+ Availability Zones • Private subnets + NAT Gateway(s) for worker nodes • Public subnets for ingress from Internet High Availability • EKS creates redundant control plane across three Availability Zones • User-created node groups should be across multipleAvailability Zones
  • 5. 5©2019 StackRox. All rights reserved. EKS Cluster Networking AWSVPC CNI • EC2 security groups for traffic control • Firewall controls cannot be applied at deployment or namespace level • Does NOT support Kubernetes Network Policies • Not cloud portable • Not suitable for multi-tenant cluster network segregation Calico • Deploys alongside AWSVPC CNI • Install at any time • Full Kubernetes Network Policy support • Supported on all(?) Kubernetes providers • Very good controls for multi-tenant cluster network segregation
  • 6. 6©2019 StackRox. All rights reserved. Secure Container Images EC2VPC Layout • Subnets across three+ Availability Zones • Private subnets + NAT Gateway(s) for worker nodes • Public subnets for ingress from Internet High Availability • EKS creates redundant control plane across three Availability Zones • User-created node groups should be across multipleAvailability Zones
  • 7. 7©2019 StackRox. All rights reserved. Secure Container Images BuildTime • Start with a current, secure base image • Use separate build and runtime images • Don’t install unneeded software on the runtime image • Use an image scanner at build time and fail builds with flaws Third-Party Containers • Scan before deploying to production • Keep up-to-date • Use a Kubernetes admission controller to reject pods with insecure images • If necessary, build custom image to control content
  • 8. 8©2019 StackRox. All rights reserved. Pod Runtime Security • Namespaces • Kubernetes Role-Based Access Control • Principle of Least Privilege • Roles instead of ClusterRoles, RoleBindings instead of ClusterRoleBindings • Use Network Policies (requiresCalico CNI) • Limit Container Runtime Privileges • Service Account for each application • Use PodSecurityPolicy resources to enforce Principle of Least Privilege • Protect EC2 Instance Role Credentials • kube2iam or Network Policies
  • 9. 9©2019 StackRox. All rights reserved. Additional Best Practices Do the following: • Monitor security of clusters and their workloads • Follow all Helm security practices for tillerd • Make Kubernetes API endpoint private, if possible • Keep all resource manifests for each deployment together • Deploy with identical RBAC, Network Policies, etc., in staging before going to production Avoid the following: • Install the Kubernetes dashboard • NeglectAWS and EC2 security best practices
  • 10. 10©2019 StackRox. All rights reserved. Get a free trial of the StackRox Kubernetes Security Platform today! Visit StackRox.com
  • 11. 11©2019 StackRox. All rights reserved. TH AN K YO U