The document discusses securing application delivery on Amazon EKS. It begins with an overview of the AWS shared responsibility model and EKS security best practices. This includes identity and access management, host and container image hardening, network segmentation, auditing and logging, and data encryption. The presentation then discusses how Weave GitOps can be used to achieve declarative and secure continuous delivery on EKS, enhancing security by creating an immutable barrier between CI and CD and guaranteeing trusted configuration and artifacts at runtime through policy as code and continuous reconciliation.
31. 1
EKS & Weave GitOps
Security at the speed of
cloud native
1
Leonardo Murillo
Principal Partner Solutions Architect, Weaveworks
@murillodigital
leonardo@weave.works
32. 2
2
Leo brings wide-ranging industry perspective, with over 20 years
of experience building technology and leading teams all the way
from Startups to Fortune 500s.
He is passionate about cloud native technologies, organizational
transformation and the open source community.
As former CTO he led worldwide teams building cloud native
software for large enterprises. In his role as Principal Partner
Solutions Architect at Weaveworks, he focuses on helping solve
application and infrastructure delivery challenges on Kubernetes
at scale.
Leonardo Murillo
Principal Partner Solutions Architect, Weaveworks
@murillodigital ⬝ leonardo@weave.works
33. 3
3
Weaveworks is backed by solid investors
Weaveworks is a key partner with all the
major infrastructure and Kubernetes vendors
Weaveworks: the GitOps company
Weaveworks is deeply committed
to the Open Source Community
36. 6
6
DevOps and Cloud Native: A combination for speed
Improve DORA metrics
DevOps:
Remove silos
and reduce
handoffs
Cloud Native:
Decoupled and
immutable
Lead time for changes
Deployment frequency
Time to restore service
Change failure rate
37. 7
7
AWS, EKS and Weave GitOps simplify
and secure Cloud Native DevOps
Foundational Security Highly Secure Kubernetes Platform
and container image registry
● OIDC Integration
● Pod Security Groups
● RBAC / IAM Integration
● Container Image Scanning
● Immutable Tags
Declarative and secure
continuous delivery
● Policy as Code
● Declarative Configuration
● Pull Based Continuous
Reconciliation
● Trusted Delivery
AWS Shared Responsibility EKS +ECR Weave GitOps
38. 8
8
The foundation of velocity is CI/CD
Continuous
Going faster and getting to Continuous
Deployment is a matter of trust
Produce a trustable artifact:
● Test (application and all dependencies / SBOM)
● Sign
● Securely and uniquely store
Guarantee workloads and configuration can be trusted
during delivery and runtime (over time):
● Immutable Configuration
● Declarative Policy
● Continuous compliance
Integration Delivery/Deployment
39. 9
9
CI/CD is all about pipelines and artifacts
Weave GitOps enhances security by creating an immutable barrier between CI and CD,
and guarantee trusted artifacts and configuration at runtime.
CodePipeline
Performs integration
tasks and pushes a
verified, uniquely
tagged and signed
container image
CodeCommit
Stores declarative configuration
for the entire system, including
integration steps
ECR
Scans and stores
immutable container
images
Weave GitOps
Pulls configuration,
continuously reconciles
and guarantees
compliance through
policy as code
EKS
Securely pulls container artifacts
using integrated IAM
authentication
41. 11
11
Securing pipelines is critical
● Detect pipeline hijacking
● Eliminate access from CI systems into target runtime environments
● Reduce the risk of pipeline intrusion by removing the imperative element
of delivery
● Guarantee artifact integrity
● Integrate with RBAC and enforce authentication and authorization throughout
● Keep privileged and sensitive build and runtime information securely stored
and isolated
42. 12
12
Technologies towards trusted delivery
● Detect pipeline hijacking
● Guaranteed artifact integrity All pipelines should be stored following GitOps
principles: Declarative, Versioned and Immutable.
Pipelines code versions should be uniquely hashed,
and CI systems should use specific pipeline versions
and be validated against the expected version hash.
43. 13
13
Technologies towards trusted delivery
● Detect pipeline hijacking
● Guaranteed artifact integrity A trusted pipeline should produce a
verifiable artifact.
Use container image signing to identify guaranteed
artifacts. Use policies to validate the admission of
artifacts, and reject any artifact that does not match
the expected signature.
44. 14
14
Technologies towards trusted delivery
● Detect pipeline hijacking
● Guaranteed artifact integrity
https://www.cisa.gov/sbom
Use SBOM as part of your artifact build
and validation process. The security of your
artifact is as strong as its weakest dependency.
Artifacts should not be signed unless SBOM validations
passes.
45. 15
15
Technologies towards trusted delivery
● Eliminate access from CI
systems into target runtime
environments
● Reduce the risk of pipeline
intrusion by removing the
imperative element of delivery
Weave GitOps follows all four principles of GitOps,
thus delegating and abstracting deployment
complexity to agents running in the target environment,
removing the need for access into target runtime
environments from CI or less privileged systems.
Do not push instructions from CI systems and disable
direct access into target runtime environments from
central continuous integration platforms.
46. 16
16
Technologies towards trusted delivery
● Integrate with RBAC and
enforce authentication and
authorization throughout
● Keep privileged and sensitive
build and runtime information
securely stored and isolated
EKS offers unique capabilities that integrate
Kubernetes primitives with AWS authentication
and authorization capabilities. These capabilities
together with Weave GitOps declarative deployment
Declare your Pod Security Groups, OIDC and Secrets
Manager integration, and deploy and validate during
runtime with Weave GitOps continuous reconciliation
and policy engine.
47. 17
17
The AWS Security Maturity Model
https://maturitymodel.security.aws.dev/en/model/
A model that helps organizations prioritize and learn towards
overcoming the many challenges related to security faced by
enterprises today.
Built and validated by a team of AWS Security Specialists
https://maturitymodel.security.aws.dev/en/model/
50. 20
20
Policy Driven Continuous Compliance
The policies that declare and validate compliance, should be
treated just as everything else: be code, that is versioned,
and immutable.
52. 22
22
PRODUCTION
QA
INTEGRATION
Trust increases across stages
DEVELOPMENT
Each stage uses a pipeline to promote, increasing the scope
of validation, therefore increasing the level of trust required
and validated through policy in the next stage, eventually
reaching production
53. 23
23
EKS Capabilities for mature, integrated runtime security
EKS Secrets Store CSI Driver for AWS
https://github.com/aws/secrets-store-csi-driver-provider-aws
Security Groups for Pods
https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html
https://aws.amazon.com/blogs/containers/introducing-oidc-identity-provider-authentication-amazon-eks/
OIDC Integrated Federation
54. 24
24
Pipeline technologies to validate and produce
a verified artifact
https://github.com/kubernete
s-sigs/bom
https://github.com/sigstore/
cosign
https://in-toto.io/
Weave GitOps
Continuously validate and deploy
trusted artifacts built and signed as
expected
Secure the integrity of the supply
chain Produce a SPDX compliant BOM
for the built artifact
Sign the artifact
55. 25
25
Check out our latest White Paper
Best Practices for Hybrid Cloud Kubernetes with EKS and
Weave GitOps
Request a demo of Weave GitOps Enterprise
www.weave.works/contact
Take advantage of EKS Blueprints and GitOps
Best Practices
Weaveworks & AWS EKS Accelerator Program
Thank You