Trusted Application Delivery: Achieving Ultimate Security

1
Trusted Application
Delivery: Achieving
Ultimate Security
1
Leonardo Murillo
Principal Partner Solutions Architect, Weaveworks
@murillodigital
leonardo@weave.works

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Amazon EKS Security
– Best Practices
Arindam Chatterji
Senior Solution Architect
AWS

Arindam Chatterji
• Senior Solution Architect at AWS
• Passionate about sports 🏈 🏀 ⚽ 🏏
2

Agenda
• Amazon Shared Responsibility Model
• Compliance for AWS services
• EKS Security best practices
• Weave GitOps and EKS deep dive

Managed container services
Deployment, scheduling,
scaling, and management of
containerized applications
Where the containers run
Amazon Elastic
Container Service
Amazon Elastic
Container Service
for Kubernetes
Amazon EC2 AWS Fargate
Container image repository
Amazon Elastic
Container Registry
Orchestration
Compute Engine
Image registry

AWS Shared Responsibility
Model
5

EKS with self-managed workers
CONTAINER IMAGES, SOURCE CODE, IAM
EKS CLUSTER CONFIGURATION
CUSTOMER DATA
NETWORK
POLICIES
RBAC
BINDINGS
QUOTAS
&
LIMIT
RANGES
HPA
&
VPA
QOS
AND
POD
PRIORITY
POD
SECURITY
POLICIES
POD
DISRUPTION
BUDGETS
CLUSTER
ADD-ONS
VPC CONFIGURATION
WORKER NODE SCALING
OS, KUBELET, CRI & AMI CONFIGURATION
KUBERNETES
CONTROL
PLANE
API
SERVER
CONTROLLER
MANAGER
SCHEDULER
ETCD
AWS
RESPONSIBLITY
CUSTOMER
RESPONSIBILITY

EKS with managed node groups
CUSTOMER DATA
NETWORK
POLICIES
RBAC
BINDINGS
QUOTAS
&
LIMIT
RANGES
HPA
&
VPA
QOS
AND
POD
PRIORITY
POD
SECURITY
POLICIES
POD
DISRUPTION
BUDGETS
CLUSTER
ADD-ONS
VPC CONFIGURATION
WORKER NODE SCALING
OS, KUBELET, CRI & AMI CONFIGURATION*
KUBERNETES
CONTROL
PLANE
API
SERVER
CONTROLLER
MANAGER
SCHEDULER
ETCD
AWS
RESPONSIBLITY
CUSTOMER
RESPONSIBILITY

EKS Fargate
CUSTOMER DATA
NETWORK
POLICIES
RBAC
BINDINGS
QUOTAS
&
LIMIT
RANGES
HPA
&
VPA
QOS
AND
POD
PRIORITY
POD
SECURITY
POLICIES
POD
DISRUPTION
BUDGETS
CLUSTER
ADD-ONS
VPC CONFIGURATION
WORKER NODE SCALING
OS, KUBELET, CRI & AMI CONFIGURATION
KUBERNETES
CONTROL
PLANE
API
SERVER
CONTROLLER
MANAGER
SCHEDULER
ETCD
AWS
RESPONSIBLITY
CUSTOMER
RESPONSIBILITY

Security benefits of AWS Fargate
We do more, you do less.
• Patching (OS, Container runtime, kubelet, etc.)
• Pod isolation (via separate kernel, ENI, CPU,
memory)
• No --privileged mode for containers
• No runtime access for users (ssh or interactive
Docker)

Inherit global security and compliance controls
FERPA
SOC 1 SOC 2 SOC 3 CJIS
https://aws.amazon.com/compliance/services-in-scope/

© 2022, Amazon Web Services, Inc. or its aﬃliates. All rights reserved. Amazon Confidential and Trademark.
Identity and Access
Management
11

K8s action allowed/denied
EKS: IAM Authentication + kubectl
Authorization of AWS Identity
against Kubernetes RBAC
K8s API
Passes AWS Identity
Verifies AWS Identity
kubectl
AWS IAM
Authentication

Identity and Access Management (IAM)
General guidelines
• Practice the principle of least
privilege for AWS IAM and k8s
RBAC
• Periodically audit access to the
cluster
• Run the application as a non-root
user
• Create the cluster with a
dedicated IAM role
• User authentication for Amazon
EKS clusters from an OpenID
Connect (OIDC) Identity Provider
IAM
• Use IRSA to assign AWS
identities to pods
• Block access to EC2
metadata
Kubernetes
• Use separate services
accounts for each
application
• Disable auto-mounting of
the default service account
token

Host, Container Image Hardening
and Runtime Security
14

Host Security
• Use an OS that is optimized for running containers
EKS Optimized Amazon Linux 2 & Bottlerocket (preview)
Alternatives: Atomic, Flatcar Linux, RancherOS
• Deploy workers onto private subnets
• Immutable infrastructure
• Run Amazon Inspector to continually assess alignment with best
practices and compliance requirements
kube-bench for EKS CIS benchmark
https://aws.amazon.com/blogs/containers/introducing-cis-
amazon-eks-benchmark

Securing container images
• Scan container images
ECR, Anchore, Clair, Trivy
• Use Scratch or a slim base layer
• De-fang your images
Remove files with the SETUID and SETGID bits from the image
• Always run as a non-root user
Lint your Dockerfiles
• Use endpoint policies and private endpoints with Elastic Container Registry
(ECR)
• Protect the supply-chain

• Use PSPs or Kyverno or OPA/Gatekeeper to implement runtime security
measures:
ü Deny privileged escalation
ü Deny running as root
ü Deny mounting hostPath
ü Drop Linux capabilities
• Compliment PSPs with AppArmor or Seccomp profiles (if necessary)
• Use 3rd party solutions
Aqua, Stackrox, Sysdig Falco, Twistlock etc.
Pod and runtime security

Network Segmentation –
Network and Firewall
Configuration
18

Installing a network policy provider on Kubernetes
• You first need to add a network policy provider to Amazon EKS /
Kubernetes in order to use network policies. A popular one covered in
our documentation is Calico.
https://docs.aws.amazon.com/eks/latest/userguide/calico.html

• Start with a deny-all global policy and incrementally add policies
• Use k8s network policies for restricting E-W traffic within the cluster
• Log Network Traffic metadata for analysis
• Restrict outbound traffic from pods that don’t need to connect to external
services
SGs for pods & Cilium (L7 policies)
• Encrypt service-to-services traffic with a mesh
Alternatives: Select CNI plug-ins & Nitro instances
Network Security

Auditing and Logging
21

Logging and Monitoring
Logging
• Amazon CloudWatch Logs/awslogs
• Log routing (Fluentd, Fluent Bit, ELK)
• VPC Flow Log
Monitoring
• Amazon CloudWatch Events & Container insights
• Amazon Managed Prometheus and Grafana
• Periodically audit Kubernetes control plane and AWS CloudTrail
logs for suspicious activity
– Search for the annotations authorization.k8s.io/decision and
authorization.k8s.io/reason to ascertain why a call was allow/denied

Data Encryption and Secrets
Management
23

Data Protection
• Encryption at rest for EBS,EFS and
FSx for Lustre
• Leverage AWS KMS for service
managed key or customer master
key (CMK)
• Encryption in transit
• Rotate your CMKs periodically
• Use EFS access points to simplify
access to shared datasets
Parameter
Store
AWS Secrets Manager AWS KMS
Container
apiVersion: v1
kind: PersistentVolume
metadata:
name: efs-pv
spec:
capacity:
storage: 5Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy:
Retain
storageClassName: efs-sc
mountOptions:
- tls
csi:
driver: efs.csi.aws.com
volumeHandle:
<file_system_id>

How do you manage secrets?
• Use AWS KMS for envelope encryption
of Kubernetes secrets
• Audit the use of secrets and rotate
them periodically
• Use volume mounts instead of
environment variables
• Leverage AWS Secrets Manager or SSM
Parameter Store to store secrets
Parameter
Store
AWS Secrets Manager AWS KMS
Container
/prod/rds/secret-username
/prod/rds/secret-password
aws secretsmanager create-secret --name <SECRETNAME> --description ”rds/secret" --
secret-string [{"testkey1":"testvalue1"}] --region <REGION>
…
env:
- name: ENDPOINT
value: "https://secretsmanager.us-west-2.amazonaws.com"
- name: REGION
value: "us-west-2"
- name: SECRETNAME
value: "sm-demo-secret”
…
SSM Parameter
Store
AWS Secrets
Manager
Encryption AWS KMS AWS KMS
Authentication/
authorization
AWS Identity
and Access
Management
(IAM)
IAM
Secret rotation Static Dynamic

Closing Thoughts..
26

Summing Up
The customer has many responsibilities in running containers
securely in AWS.
The key areas to delve into include:
• Identity and Access Management
• Network Topology and Firewalling
• Logging and Auditing
• Encryption and Mutual Authentication between Tasks/Pods
• Patching (container images, container hosts and the Kubernetes
control plane)
• Secrets Management
• What is in, and what isn’t in, each container image you run

Reference -EKS Best Practices for Security
https://aws.github.io/aws-eks-best-practices/

Thank you!
Arindam Chatterji
Senior Solutions
Architect

1
EKS & Weave GitOps
Security at the speed of
cloud native
1
Leonardo Murillo
@murillodigital
leonardo@weave.works

2
2
Leo brings wide-ranging industry perspective, with over 20 years
of experience building technology and leading teams all the way
from Startups to Fortune 500s.
He is passionate about cloud native technologies, organizational
transformation and the open source community.
As former CTO he led worldwide teams building cloud native
software for large enterprises. In his role as Principal Partner
Solutions Architect at Weaveworks, he focuses on helping solve
application and infrastructure delivery challenges on Kubernetes
at scale.
Leonardo Murillo
@murillodigital ⬝ leonardo@weave.works

3
3
Weaveworks is backed by solid investors
Weaveworks is a key partner with all the
major infrastructure and Kubernetes vendors
Weaveworks: the GitOps company
Weaveworks is deeply committed
to the Open Source Community

4
Financial Services
Weaveworks Customers
Technology Other Industries

5
5
The Goal: Go faster, securely

6
6
DevOps and Cloud Native: A combination for speed
Improve DORA metrics
DevOps:
Remove silos
and reduce
handoﬀs
Cloud Native:
Decoupled and
immutable
Lead time for changes
Deployment frequency
Time to restore service
Change failure rate

7
7
AWS, EKS and Weave GitOps simplify
and secure Cloud Native DevOps
Foundational Security Highly Secure Kubernetes Platform
and container image registry
● OIDC Integration
● Pod Security Groups
● RBAC / IAM Integration
● Container Image Scanning
● Immutable Tags
Declarative and secure
continuous delivery
● Policy as Code
● Declarative Conﬁguration
● Pull Based Continuous
Reconciliation
● Trusted Delivery
AWS Shared Responsibility EKS +ECR Weave GitOps

8
8
The foundation of velocity is CI/CD
Continuous
Going faster and getting to Continuous
Deployment is a matter of trust
Produce a trustable artifact:
● Test (application and all dependencies / SBOM)
● Sign
● Securely and uniquely store
Guarantee workloads and conﬁguration can be trusted
during delivery and runtime (over time):
● Immutable Conﬁguration
● Declarative Policy
● Continuous compliance
Integration Delivery/Deployment

9
9
CI/CD is all about pipelines and artifacts
Weave GitOps enhances security by creating an immutable barrier between CI and CD,
and guarantee trusted artifacts and configuration at runtime.
CodePipeline
Performs integration
tasks and pushes a
verified, uniquely
tagged and signed
container image
CodeCommit
Stores declarative configuration
for the entire system, including
integration steps
ECR
Scans and stores
immutable container
images
Weave GitOps
Pulls configuration,
continuously reconciles
and guarantees
compliance through
policy as code
EKS
Securely pulls container artifacts
using integrated IAM
authentication

10
10
Securing the Pipeline is Critical

11
11
Securing pipelines is critical
● Detect pipeline hijacking
● Eliminate access from CI systems into target runtime environments
● Reduce the risk of pipeline intrusion by removing the imperative element
of delivery
● Guarantee artifact integrity
● Integrate with RBAC and enforce authentication and authorization throughout
● Keep privileged and sensitive build and runtime information securely stored
and isolated

12
12
Technologies towards trusted delivery
● Guaranteed artifact integrity All pipelines should be stored following GitOps
principles: Declarative, Versioned and Immutable.
Pipelines code versions should be uniquely hashed,
and CI systems should use speciﬁc pipeline versions
and be validated against the expected version hash.

13
13
● Guaranteed artifact integrity A trusted pipeline should produce a
veriﬁable artifact.
Use container image signing to identify guaranteed
artifacts. Use policies to validate the admission of
artifacts, and reject any artifact that does not match
the expected signature.

14
14
● Guaranteed artifact integrity
https://www.cisa.gov/sbom
Use SBOM as part of your artifact build
and validation process. The security of your
artifact is as strong as its weakest dependency.
Artifacts should not be signed unless SBOM validations
passes.

15
15
● Eliminate access from CI
systems into target runtime
environments
● Reduce the risk of pipeline
intrusion by removing the
imperative element of delivery
Weave GitOps follows all four principles of GitOps,
thus delegating and abstracting deployment
complexity to agents running in the target environment,
removing the need for access into target runtime
environments from CI or less privileged systems.
Do not push instructions from CI systems and disable
direct access into target runtime environments from
central continuous integration platforms.

16
16
● Integrate with RBAC and
enforce authentication and
authorization throughout
● Keep privileged and sensitive
build and runtime information
securely stored and isolated
EKS oﬀers unique capabilities that integrate
Kubernetes primitives with AWS authentication
and authorization capabilities. These capabilities
together with Weave GitOps declarative deployment
Declare your Pod Security Groups, OIDC and Secrets
Manager integration, and deploy and validate during
runtime with Weave GitOps continuous reconciliation
and policy engine.

17
17
The AWS Security Maturity Model
https://maturitymodel.security.aws.dev/en/model/
A model that helps organizations prioritize and learn towards
overcoming the many challenges related to security faced by
enterprises today.
Built and validated by a team of AWS Security Specialists

18
18
How does EKS and Weave GitOps Trusted
Delivery help achieve Security Maturity

19
19
EKS + Weave GitOps Secure Runtime Environment

20
20
Policy Driven Continuous Compliance
The policies that declare and validate compliance, should be
treated just as everything else: be code, that is versioned,
and immutable.

21
21
Policy Driven Continuous Compliance
Reconcile:
aka: deploy!
Test SBOM Sign Publish
Continuous Integration Continuous Deployment
Policy:
Admit or
Reject

22
22
PRODUCTION
QA
INTEGRATION
Trust increases across stages
DEVELOPMENT
Each stage uses a pipeline to promote, increasing the scope
of validation, therefore increasing the level of trust required
and validated through policy in the next stage, eventually
reaching production

23
23
EKS Capabilities for mature, integrated runtime security
EKS Secrets Store CSI Driver for AWS
https://github.com/aws/secrets-store-csi-driver-provider-aws
Security Groups for Pods
https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html
https://aws.amazon.com/blogs/containers/introducing-oidc-identity-provider-authentication-amazon-eks/
OIDC Integrated Federation

24
24
Pipeline technologies to validate and produce
a veriﬁed artifact
https://github.com/kubernete
s-sigs/bom
https://github.com/sigstore/
cosign
https://in-toto.io/
Weave GitOps
Continuously validate and deploy
trusted artifacts built and signed as
expected
Secure the integrity of the supply
chain Produce a SPDX compliant BOM
for the built artifact
Sign the artifact

25
25
Check out our latest White Paper
Best Practices for Hybrid Cloud Kubernetes with EKS and
Weave GitOps
Request a demo of Weave GitOps Enterprise
www.weave.works/contact
Take advantage of EKS Blueprints and GitOps
Best Practices
Weaveworks & AWS EKS Accelerator Program
Thank You

26
Thank you
https://weave.works
26

Trusted Application Delivery: Achieving Ultimate Security

Recommandé

Recommandé

Contenu connexe

Similaire à Trusted Application Delivery: Achieving Ultimate Security

Similaire à Trusted Application Delivery: Achieving Ultimate Security (20)

Plus de Weaveworks

Plus de Weaveworks (20)

Dernier

Dernier (20)

Trusted Application Delivery: Achieving Ultimate Security