Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Monitor Amazon EKS Configuration Changes

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable risk)

Cloud Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected configuration changes performed at the AWS EKS service level, in your AWS account.

Security

Amazon Elastic Container Service for Kubernetes (Amazon EKS) is a managed service provided by Amazon Web Services that simplifies the use of Kubernetes on AWS cloud without the need to install and operate your own Kubernetes control plane (i.e. the main controlling unit of the Kubernetes cluster). With Amazon EKS you can deploy, manage and scale containerized applications using Kubernetes in AWS cloud. Kubernetes is a popular open-source container-orchestration software designed for automating deployment, scaling and management of containerized applications. Kubernetes groups containers together for management and discoverability, then launches them onto clusters of EC2 instances. With Kubernetes you can run containerized applications including microservices, batch processing workers and Platforms as a Service (PaaS) using the same toolset on premises and in the cloud. Its main purpose is to provide better ways of managing related, distributed components and services across varied infrastructure. AWS EKS service works by provisioning and managing the Kubernetes control plane for you. Kubernetes consists of two major components: a cluster of worker nodes that run your containers and a control plane that manages when and where containers are provisioning on your cluster, and monitors their status. Without AWS EKS, you have to run and manage both the Kubernetes control plane and the cluster of worker nodes by yourself. With Amazon EKS - Managed Kubernetes Service, you provision your cluster of worker nodes using the provided AMI and the predefined CloudFormation template, and AWS handles the rest – i.e. provisioning, scaling and managing the Kubernetes control plane within a secure, highly available configuration. EKS removes the most important operational responsibilities for running Kubernetes in order to allow you to focus on building your applications instead of managing AWS cloud infrastructure. To offer the best scalability and security for your cloud applications, the EKS service integrates with many other AWS services such as Elastic Load Balancing for load distribution, IAM for authentication and authorization, AWS VPC for network isolation, AWS PrivateLink for private network access and AWS CloudTrail for logging.


As an AWS security best practice, you have to know about each configuration changes made at the Amazon EKS service level. The operational activity detected by this RTMA rule can be any root/IAM user request initiated through AWS Management Console or any AWS API request initiated programmatically using AWS CLI or SDKs, that triggers Amazon EKS service actions such as:

"CreateCluster" - Creates an AWS EKS control plane. This control plane consists of master instances that run the Kubernetes software, like etcd and the API server. The control plane runs within an account managed by Amazon Web Services and the Kubernetes API is exposed through the EKS API server endpoint.

"DeleteCluster" - Deletes the Amazon EKS cluster control plane.

"UpdateClusterVersion" - Updates an AWS EKS cluster to the specified Kubernetes version. Your Amazon EKS cluster continues to function during the update.

To maintain your Amazon EKS service configuration stable and secure, Cloud Conformity strongly recommends that you avoid as much as possible to provide your non-privileged IAM users the permission to change the EKS service and resources configuration within your AWS account.

The communication channels required for sending RTMA notifications can be configured in your Cloud Conformity account. The list of supported communication channels that you can use to receive configuration change alerts for Amazon EKS are SMS, Email, PagerDuty, ServiceNow, Slack and Zendesk.

Remediation / Resolution

According to Shared Responsibility Model, Amazon Web Services is responsible for Kubernetes control plane, which includes the control plane instances and the etcd database. On the other hand, your responsibilities include, among others, the security configuration of the data plan, which contains the configuration of the security groups that allow traffic to pass from the AWS EKS control plane into your VPC network, the configuration of the worker instances (nodes) and the containers themselves. Therefore, using Cloud Conformity RTMA feature to detect Amazon Elastic Container Service for Kubernetes (EKS) configuration changes will help you prevent any accidental or intentional modifications that may lead to unauthorized access to your data, unexpected costs on your AWS bill or other security issues that can heavily impact your applications.

References

Publication date Dec 18, 2018