All Posts
2024-09-20Hünkar Döner

EKS Security Best Practices: Zero Trust Approach

SecurityEKSDevSecOpsZero Trust
E

EKS Security Best Practices: Zero Trust Approach

Kubernetes is as complex as it is powerful, and its default settings do not always offer the most secure options. While Amazon EKS secures the control plane, data plane and application security belong to you per the "Shared Responsibility Model".

For a secure EKS environment, you must adopt the "Zero Trust" approach: "Never trust, always verify."

1. Network Security: Close the Doors

  • Private Endpoint: Restrict access to the EKS API server to only VPN or specific IP addresses. Close or restrict public access.
  • Network Policies: By default, all pods in Kubernetes can talk to each other. This is risky. Define Network Policy using Calico or AWS VPC CNI. For example, apply the rule "Frontend pods can only access Backend pods, cannot access Database".

2. Identity and Access (IAM)

  • IRSA (IAM Roles for Service Accounts): Never give broad permissions to nodes (EC2). Assign each pod only the IAM role it needs (like S3 read, DynamoDB write).
  • aws-auth ConfigMap: Configure this file, which manages who can access the cluster (kubectl), carefully. If possible, switch to the EKS Access Entries feature (newer and safer method).

3. Pod Security

  • Pod Security Standards (PSS): Pod Security Policies (PSP) are deprecated. Now PSS and Pod Security Admission controller are used. Prevent pods from running as "root" (RunAsRoot) or accessing the host network.
  • Read-Only Filesystem: Make it difficult for attackers to download malware by preventing containers from writing to the filesystem.

4. Image Security (Supply Chain Security)

  • Image Scanning: Automatically scan every image you upload to Amazon ECR. Prevent deployment of images with Critical/High vulnerabilities.
  • Minimal Images: Use minimal images like Distroless or Alpine. Images without curl, wget, or shell make the attacker's job difficult.

5. Secrets Management

  • Encryption: Kubernetes Secrets are stored in etcd as base64 (not encrypted!). Enable Envelope Encryption using AWS KMS.
  • External Management: If possible, keep Secrets not in Kubernetes, but in external and more secure systems like AWS Secrets Manager or HashiCorp Vault and inject them dynamically into pods.

6. Audit & Monitoring

  • Audit Logs: Send and store EKS Control Plane logs (Audit, API, Authenticator) to CloudWatch. The answer to "Who made what change when?" is here.
  • Runtime Security: Detect suspicious behaviors (e.g., opening a shell inside a pod) at runtime using tools like Falco.

Security is not a destination, it is a journey. With our Kubernetes Consultancy service, you can minimize your risks by regularly subjecting your EKS clusters to security scans (Pentest).