SlideShare uma empresa Scribd logo

Amazon EKS - security best practices - 2022

Jean-François LOMBARDO
Jean-François LOMBARDO

Community Builder session on Amazon EKS and how to enforce Security controls on top of it. This deep dive on the core difference with EC2 security model as long as the native integration with other AWS Security Services

Tecnologia
1 de 32
Baixar para ler offline
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Community Builders Amazon EKS – Security best practices Jeff Lombardo Sr. Solution Architect, Security Specialist February 2022
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Jeff Lombardo Senior Solution Architect / Security Specialist at AWS 17 years of expertise in Identity and Access Management, Application Security, and Data Protection Joined AWS in September 2020 My Moto: Give me a redirect URI and I will SSO the world
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Is EKS different from K8s? Who is responsible of the security? How the service evolved? Agenda Amazon EKS in a nutshell Security best practices on EKS Are they different? Are they specific? What are the advantages? Demo How can I secure my Company Socks Shop? Starting to build with Amazon EKS Multiple resources to help you learn more
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 4 Amazon EKS in a nutshell
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EKS Tenets It is Kubernetes Upstream Service integrations Production workloads
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Choose your own adventure ECS EKS EC2 Fargate EC2 Fargate Anywhere Anywhere
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shared responsibility model for EKS
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EKS story 2017 2018 2019 2020 2021 Theme: control plane Theme: data plane Theme: cluster ops
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EKS highlight launches over the last year Storage and networking • Amazon EBS CSI driver • Amazon EFS CSI driver w/ dynamic provisioning • Amazon VPC CNI increased pod density • Pod-level security group • AWS load Balancer controller • Multus CNI support Tooling • AWS CDK for K8s • AWS Controllers for Kubernetes • Amazon EKS add-ons • Hosted Kubernetes console • Remote Cluster Connector • eksctl instance selector Nodes • Managed node groups custom launch templates • Karpenter node provisioning • P4d/Elastic Fabric adapter support • Parallel node group upgrades • Containerd support • Amazon EKS/AWS Fargate built-in logging Region/version expansion • Osaka region • AWS Fargate region expansion – Frankfurt, Oregon, Singapore, Sydney, Cape Town, Osaka, and Milan • Support for Kubernetes version 1.19, 1.20, 1.21 Environment expansion • Amazon EKS Distro • Amazon EKS Anywhere
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. • AWS Certificate Manager (ACM) Private Certificate Authority • AWS Secrets Manager CSI driver • ECR signed image validation • IAM roles for Service Account v2 Amazon EKS recent launches – Security Pillar Protection mechanisms EKS improvements • IAM Cluster API management • External OIDC authentication • EKS API PrivateLink • Secrets encryption with AWS KMS • VPC CNI network policy Compliance • FedRAMP Moderate, High • DoD CC SRG 10
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EKS just-shipped features https://github.com/aws-controllers-k8s/community https://isovalent.com/blog/post/2021-09-aws-eks- anywhere-chooses-cilium https://aws.amazon.com/about-aws/whats-new/2022/01/amazon- guardduty-elastic-kubernetes-service-clusters/
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. EKS Anywhere Enterprise Support Ubuntu Bottlerocket Cilium Flux All bundled components in EKS-Anywhere will have integrated support through AWS.
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is coming up for EKS? Assessing compliance for EKS CIS standards into standard AWS security services Having an overall view of infrastructure configuration from a security perspective in a single place is valuable. kube-bench scores compliance of EKS configuration against the EKS CIS standard. However, running the EKS benchmark against EKS deployments is manual and not available through an AWS managed component. It would be great if CIS EKS could be executed and findings/results reflected back into security monitoring services—Security Hub provides a great place to aggregate findings from various systems in a single service. Changing security group of EKS master without replacing the cluster Changing the security group on the EKS master to match new requirements or threats is valuable. Unfortunately, there seems to be no way of doing this without deleting the cluster whatever through CloudFormation or the console. • Not exhaustive EKS list • Also include ECS items https://github.com/aws/containers-roadmap/
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 14 Security best practices on EKS
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protect Detect Respond Automate Investigate Recover Identify AWS Systems Manager AWS Config AWS Lambda Amazon CloudWatch Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub KMS IAM AWS Single Sign-On Snapshot Archive AWS CloudTrail Amazon CloudWatch Amazon VPC AWS WAF AWS Shield AWS Secrets Manager AWS Firewall Manager AWS Organizations Personal Health Dashboard Amazon Route 53 AWS Direct Connect AWS Transit Gateway Amazon VPC PrivateLink AWS Step Functions Amazon Cloud Directory AWS CloudHSM AWS Certificate Manager AWS Control Tower AWS Service Catalog AWS Well- Architected Tool AWS Trusted Advisor Resource Access manager AWS Directory Service Amazon Cognito Amazon S3 Glacier AWS Security Hub AWS Systems Manager AWS CloudFormation AWS OpsWorks Amazon Detective AWS Network Firewall Security strategy at AWS AWS Backup
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Systems Manager AWS Config Amazon CloudWatch Amazon Inspector Amazon GuardDuty KMS IAM Snapshot AWS CloudTrail Amazon CloudWatch Amazon VPC AWS WAF AWS Shield AWS Secrets Manager AWS Firewall Manager AWS Transit Gateway Amazon VPC PrivateLink AWS Certificate Manager AWS Security Hub AWS Systems Manager AWS Network Firewall Linux capabilities Pod Security Standards Policy as code Pod Security Admission AWS App Mesh CNI Network Policy Amazon Elastic Block Store Amazon Elastic File System AWS Backup Amazon FSx for Lustre CSI EKS integrated AWS service Container function support AWS Artifact Security strategy at AWS with EKS Protect Detect Respond Automate Investigate Recover Identify
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. One place to go 17 https://aws.github.io/aws-eks-best-practices/security/docs/ And more, with guidance on Cluster Autoscaling, Reliability, and Windows Containers
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. More granularity on Identity Management 18 EC2 Instance Business Logic #1 Business Logic #2 IMDSv2 endpoint Amazon S3 bucket Amazon RDS Role
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. More granularity on Identity Management 19 EC2 Instance Business Logic #1 Business Logic #2 IMDSv2 endpoint Amazon S3 bucket Amazon RDS EC2 Instance Role EC2 Instance (worker node) IMDSv2 endpoint EC2 Instance Role Amazon Elastic Container Registry Amazon S3 bucket Amazon RDS Service Account Role Service Account Role Business Logic #1 Business Logic #2
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Public subnet Private subnet More granularity on Network Protection 20 EC2 Instance Security group EC2 Instance Security group Business Logic #1 Business Logic #2 VPC Network ACL
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Public subnet Private subnet More granularity on Network Protection 21 EC2 Instance Security group EC2 Instance Security group Business Logic #1 Business Logic #2 VPC Network ACL EC2 Instance (worker node) Business Logic #1 Business Logic #2 Security group Security group Public subnet Private subnet Network ACL VPC ENI ENI Network Policy
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 22 Demo
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Public subnet Demo context 23 Application load balancer EC2 Instance (worker nodes) Network ACL VPC Internet gateway AWS Cloud Amazon RDS (Product catalog) User Security group Front- end Order Shipping Queue Client Order db Payment User User db Cart Cart db Catalogue https://github.com/microservices-demo
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Objectives 24 Change CNI to Calico Implement Calico Network Policy Trigger GuardDuty events
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. All pods communicate with all pods >kubectl exec --stdin --tty user-6b45cf8b6d-djjg2 -n shop – sh / $ telnet payment 80 POST /paymentAuth HTTP/1.1 Host: payment Content-Type: application/json; charset=utf-8 Content-Length: 36 {"Amount":100,"Account":12321425478} HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Date: Tue, 08 Feb 2022 21:59:04 GMT Content-Length: 51 {"authorised":true,"message":"Payment authorised"} Our USER pod dedicated to authentication can send payment requests to the PAYMENT pod
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enforce Calico Network Policies on Payment pod >kubectl calico apply -f default-deny.yaml -n octank -- config=calico.cfg.yaml --allow-version-mismatch > kubectl calico apply -f allow-network-policies.yaml -- config=calico.cfg.yaml --allow-version-mismatch Security Groups for Pods vs K8s Network Policy vs Calico Network Policy What are the differences? 1. Deny all traffic 2. Then allow specific traffic 3. Be mindful statelessness
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Check the control >kubectl exec --stdin --tty user-6b45cf8b6d-djjg2 -n shop – sh / $ telnet payment 80 POST /paymentAuth HTTP/1.1 Host: payment Content-Type: application/json; charset=utf-8 Content-Length: 36 {"Amount":100,"Account":12321425478} HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Date: Tue, 08 Feb 2022 21:59:04 GMT Content-Length: 51 Time out…. You can now prevent lateral movement
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 28 How to learn more
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Other security news for Amazon EKS https://aws.amazon.com/about-aws/whats- new/2022/01/acm-kubernetes-cert-manager-plugin- production/ https://aws.amazon.com/about-aws/whats- new/2021/12/eks-add-ons-ebs-csi-driver/
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Re:Invent 2021 recap 30 https://www.youtube.com/watch?v=Q3Uj1rsmFLw https://www.youtube.com/watch?v=V8DidcYmNmU
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. EKS workshops https://www.eksworkshop.com/ 31 Beginner • AWS IAM groups for cluster Access • AWS IAM roles for Services Accounts • Security groups for pods • Network Policies • Secure Secrets management Intermediate • CI/CD pipeline • Logging with Amazon OpenSearch • Open Policy Agent • AWS App Mesh Advanced • Service mesh with Istio • Machine Learning with Kubeflow • Machine learning with Amazon EMR
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you! 32 Please, don’t forget to fill the survey for this session: <your link>

Recomendados

Introduction to Amazon EKS
Introduction to Amazon EKSIntroduction to Amazon EKS
Introduction to Amazon EKSAmazon Web Services
 
Amazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for KubernetesAmazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for KubernetesAmazon Web Services
 
Advanced Container Security
Advanced Container Security Advanced Container Security
Advanced Container Security Amazon Web Services
 
Kubernetes on AWS with Amazon EKS - MAD301 - New York AWS Summit
Kubernetes on AWS with Amazon EKS - MAD301 - New York AWS SummitKubernetes on AWS with Amazon EKS - MAD301 - New York AWS Summit
Kubernetes on AWS with Amazon EKS - MAD301 - New York AWS SummitAmazon Web Services
 
Amazon EKS Deep Dive
Amazon EKS Deep DiveAmazon EKS Deep Dive
Amazon EKS Deep DiveAndrzej Komarnicki
 
Intro to Amazon ECS
Intro to Amazon ECSIntro to Amazon ECS
Intro to Amazon ECSAmazon Web Services
 
Running Kubernetes in hybrid environments with AWS (EKS Distro & EKS Anywhere...
Running Kubernetes in hybrid environments with AWS (EKS Distro & EKS Anywhere...Running Kubernetes in hybrid environments with AWS (EKS Distro & EKS Anywhere...
Running Kubernetes in hybrid environments with AWS (EKS Distro & EKS Anywhere...Amazon Web Services Korea
 
Kubernetes on AWS with Amazon EKS
Kubernetes on AWS with Amazon EKSKubernetes on AWS with Amazon EKS
Kubernetes on AWS with Amazon EKSAmazon Web Services
 

Recomendados

Introduction to Amazon EKS
Introduction to Amazon EKSIntroduction to Amazon EKS
Introduction to Amazon EKSAmazon Web Services
 
Amazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for KubernetesAmazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for KubernetesAmazon Web Services
 
Advanced Container Security
Advanced Container Security Advanced Container Security
Advanced Container Security Amazon Web Services
 
Kubernetes on AWS with Amazon EKS - MAD301 - New York AWS Summit
Kubernetes on AWS with Amazon EKS - MAD301 - New York AWS SummitKubernetes on AWS with Amazon EKS - MAD301 - New York AWS Summit
Kubernetes on AWS with Amazon EKS - MAD301 - New York AWS SummitAmazon Web Services
 
Amazon EKS Deep Dive
Amazon EKS Deep DiveAmazon EKS Deep Dive
Amazon EKS Deep DiveAndrzej Komarnicki
 
Intro to Amazon ECS
Intro to Amazon ECSIntro to Amazon ECS
Intro to Amazon ECSAmazon Web Services
 
Running Kubernetes in hybrid environments with AWS (EKS Distro & EKS Anywhere...
Running Kubernetes in hybrid environments with AWS (EKS Distro & EKS Anywhere...Running Kubernetes in hybrid environments with AWS (EKS Distro & EKS Anywhere...
Running Kubernetes in hybrid environments with AWS (EKS Distro & EKS Anywhere...Amazon Web Services Korea
 
Kubernetes on AWS with Amazon EKS
Kubernetes on AWS with Amazon EKSKubernetes on AWS with Amazon EKS
Kubernetes on AWS with Amazon EKSAmazon Web Services
 
Containers - Amazon EKS
Containers - Amazon EKSContainers - Amazon EKS
Containers - Amazon EKSAmazon Web Services
 
Getting Started on Amazon EKS
Getting Started on Amazon EKSGetting Started on Amazon EKS
Getting Started on Amazon EKSMatthew Barlocker
 
K8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKSK8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKSAmazon Web Services
 
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018Amazon Web Services
 
Introduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenIntroduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenTrang Nguyen
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101Crevise Technologies
 
Introduction to DevOps on AWS
Introduction to DevOps on AWSIntroduction to DevOps on AWS
Introduction to DevOps on AWSShiva Narayanaswamy
 
AWS CodeCommit, CodeDeploy & CodePipeline
AWS CodeCommit, CodeDeploy & CodePipelineAWS CodeCommit, CodeDeploy & CodePipeline
AWS CodeCommit, CodeDeploy & CodePipelineJulien SIMON
 
Containers on AWS: An Introduction
Containers on AWS: An IntroductionContainers on AWS: An Introduction
Containers on AWS: An IntroductionAmazon Web Services
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWSAmazon Web Services
 
Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Amazon Web Services
 
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...Amazon Web Services
 
Azure kubernetes service (aks)
Azure kubernetes service (aks)Azure kubernetes service (aks)
Azure kubernetes service (aks)Akash Agrawal
 
Running Microservices and Docker on AWS Elastic Beanstalk - August 2016 Month...
Running Microservices and Docker on AWS Elastic Beanstalk - August 2016 Month...Running Microservices and Docker on AWS Elastic Beanstalk - August 2016 Month...
Running Microservices and Docker on AWS Elastic Beanstalk - August 2016 Month...Amazon Web Services
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsAmazon Web Services
 
GitOps with Amazon EKS Anywhere by Dan Budris
GitOps with Amazon EKS Anywhere by Dan BudrisGitOps with Amazon EKS Anywhere by Dan Budris
GitOps with Amazon EKS Anywhere by Dan BudrisWeaveworks
 
AWS Fargate on EKS 실전 사용하기
AWS Fargate on EKS 실전 사용하기AWS Fargate on EKS 실전 사용하기
AWS Fargate on EKS 실전 사용하기AWSKRUG - AWS한국사용자모임
 
infrastructure as code
infrastructure as codeinfrastructure as code
infrastructure as codeAmazon Web Services
 
AWS Containers Day.pdf
AWS Containers Day.pdfAWS Containers Day.pdf
AWS Containers Day.pdfAmazon Web Services
 
Why Kubernetes on Azure
Why Kubernetes on AzureWhy Kubernetes on Azure
Why Kubernetes on AzureMicrosoft Tech Community
 
Trusted Application Delivery: Achieving Ultimate Security
Trusted Application Delivery: Achieving Ultimate SecurityTrusted Application Delivery: Achieving Ultimate Security
Trusted Application Delivery: Achieving Ultimate SecurityWeaveworks
 
LX-COMM-XX-Streamlined-deployment to Amazon EKS (1).pptx
LX-COMM-XX-Streamlined-deployment to Amazon EKS (1).pptxLX-COMM-XX-Streamlined-deployment to Amazon EKS (1).pptx
LX-COMM-XX-Streamlined-deployment to Amazon EKS (1).pptxssuserd4e0d2
 

Mais conteúdo relacionado

Mais procurados

Getting Started on Amazon EKS
Getting Started on Amazon EKSGetting Started on Amazon EKS
Getting Started on Amazon EKSMatthew Barlocker
 
K8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKSK8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKSAmazon Web Services
 
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018Amazon Web Services
 
Introduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenIntroduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenTrang Nguyen
 
AWS CodeCommit, CodeDeploy & CodePipeline
AWS CodeCommit, CodeDeploy & CodePipelineAWS CodeCommit, CodeDeploy & CodePipeline
AWS CodeCommit, CodeDeploy & CodePipelineJulien SIMON
 
Containers on AWS: An Introduction
Containers on AWS: An IntroductionContainers on AWS: An Introduction
Containers on AWS: An IntroductionAmazon Web Services
 
Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Amazon Web Services
 
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...Amazon Web Services
 
Azure kubernetes service (aks)
Azure kubernetes service (aks)Azure kubernetes service (aks)
Azure kubernetes service (aks)Akash Agrawal
 
Running Microservices and Docker on AWS Elastic Beanstalk - August 2016 Month...
Running Microservices and Docker on AWS Elastic Beanstalk - August 2016 Month...Running Microservices and Docker on AWS Elastic Beanstalk - August 2016 Month...
Running Microservices and Docker on AWS Elastic Beanstalk - August 2016 Month...Amazon Web Services
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsAmazon Web Services
 
GitOps with Amazon EKS Anywhere by Dan Budris
GitOps with Amazon EKS Anywhere by Dan BudrisGitOps with Amazon EKS Anywhere by Dan Budris
GitOps with Amazon EKS Anywhere by Dan BudrisWeaveworks
 

Mais procurados (20)

Containers - Amazon EKS
Containers - Amazon EKSContainers - Amazon EKS
Containers - Amazon EKS
 
Getting Started on Amazon EKS
Getting Started on Amazon EKSGetting Started on Amazon EKS
Getting Started on Amazon EKS
 
K8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKSK8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKS
 
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
 
Introduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenIntroduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang Nguyen
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
 
Introduction to DevOps on AWS
Introduction to DevOps on AWSIntroduction to DevOps on AWS
Introduction to DevOps on AWS
 
AWS CodeCommit, CodeDeploy & CodePipeline
AWS CodeCommit, CodeDeploy & CodePipelineAWS CodeCommit, CodeDeploy & CodePipeline
AWS CodeCommit, CodeDeploy & CodePipeline
 
Containers on AWS: An Introduction
Containers on AWS: An IntroductionContainers on AWS: An Introduction
Containers on AWS: An Introduction
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 
Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019
 
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
 
Azure kubernetes service (aks)
Azure kubernetes service (aks)Azure kubernetes service (aks)
Azure kubernetes service (aks)
 
Running Microservices and Docker on AWS Elastic Beanstalk - August 2016 Month...
Running Microservices and Docker on AWS Elastic Beanstalk - August 2016 Month...Running Microservices and Docker on AWS Elastic Beanstalk - August 2016 Month...
Running Microservices and Docker on AWS Elastic Beanstalk - August 2016 Month...
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
 
GitOps with Amazon EKS Anywhere by Dan Budris
GitOps with Amazon EKS Anywhere by Dan BudrisGitOps with Amazon EKS Anywhere by Dan Budris
GitOps with Amazon EKS Anywhere by Dan Budris
 
AWS Fargate on EKS 실전 사용하기
AWS Fargate on EKS 실전 사용하기AWS Fargate on EKS 실전 사용하기
AWS Fargate on EKS 실전 사용하기
 
infrastructure as code
infrastructure as codeinfrastructure as code
infrastructure as code
 
AWS Containers Day.pdf
AWS Containers Day.pdfAWS Containers Day.pdf
AWS Containers Day.pdf
 
Why Kubernetes on Azure
Why Kubernetes on AzureWhy Kubernetes on Azure
Why Kubernetes on Azure
 

Semelhante a Amazon EKS - security best practices - 2022

Trusted Application Delivery: Achieving Ultimate Security
Trusted Application Delivery: Achieving Ultimate SecurityTrusted Application Delivery: Achieving Ultimate Security
Trusted Application Delivery: Achieving Ultimate SecurityWeaveworks
 
LX-COMM-XX-Streamlined-deployment to Amazon EKS (1).pptx
LX-COMM-XX-Streamlined-deployment to Amazon EKS (1).pptxLX-COMM-XX-Streamlined-deployment to Amazon EKS (1).pptx
LX-COMM-XX-Streamlined-deployment to Amazon EKS (1).pptxssuserd4e0d2
 
Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Amazon Web Services
 
Fast-Track Your Application Modernisation Journey with Containers - AWS Summi...
Fast-Track Your Application Modernisation Journey with Containers - AWS Summi...Fast-Track Your Application Modernisation Journey with Containers - AWS Summi...
Fast-Track Your Application Modernisation Journey with Containers - AWS Summi...Amazon Web Services
 
[AWS Dev Day] 앱 현대화 | DevOps 개발자가 되기 위한 쿠버네티스 핵심 활용 예제 알아보기 - 정영준 AWS 솔루션즈 아키...
[AWS Dev Day] 앱 현대화 | DevOps 개발자가 되기 위한 쿠버네티스 핵심 활용 예제 알아보기 - 정영준 AWS 솔루션즈 아키...[AWS Dev Day] 앱 현대화 | DevOps 개발자가 되기 위한 쿠버네티스 핵심 활용 예제 알아보기 - 정영준 AWS 솔루션즈 아키...
[AWS Dev Day] 앱 현대화 | DevOps 개발자가 되기 위한 쿠버네티스 핵심 활용 예제 알아보기 - 정영준 AWS 솔루션즈 아키...Amazon Web Services Korea
 
From Docker Straight to AWS
From Docker Straight to AWSFrom Docker Straight to AWS
From Docker Straight to AWSDevOps.com
 
Modernizing applications with Amazon EKS - MAD304 - Santa Clara AWS Summit.pdf
Modernizing applications with Amazon EKS - MAD304 - Santa Clara AWS Summit.pdfModernizing applications with Amazon EKS - MAD304 - Santa Clara AWS Summit.pdf
Modernizing applications with Amazon EKS - MAD304 - Santa Clara AWS Summit.pdfAmazon Web Services
 
IDI 2022: Making sense of the '17 ways to run containers on AWS'
IDI 2022: Making sense of the '17 ways to run containers on AWS'IDI 2022: Making sense of the '17 ways to run containers on AWS'
IDI 2022: Making sense of the '17 ways to run containers on AWS'Massimo Ferre'
 
Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用
Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用
Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用Amazon Web Services
 
SRV409 Deep Dive on Microservices and Docker
SRV409 Deep Dive on Microservices and DockerSRV409 Deep Dive on Microservices and Docker
SRV409 Deep Dive on Microservices and DockerAmazon Web Services
 
Modernizing legacy applications with Amazon EKS - MAD301 - Chicago AWS Summit
Modernizing legacy applications with Amazon EKS - MAD301 - Chicago AWS SummitModernizing legacy applications with Amazon EKS - MAD301 - Chicago AWS Summit
Modernizing legacy applications with Amazon EKS - MAD301 - Chicago AWS SummitAmazon Web Services
 
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...Amazon Web Services
 
AWS SSA Webinar 8 - Getting Started on AWS: Compute
AWS SSA Webinar 8 - Getting Started on AWS: ComputeAWS SSA Webinar 8 - Getting Started on AWS: Compute
AWS SSA Webinar 8 - Getting Started on AWS: ComputeCobus Bernard
 
Amazon EKS multi-cluster gitops-bridge
Amazon EKS multi-cluster gitops-bridgeAmazon EKS multi-cluster gitops-bridge
Amazon EKS multi-cluster gitops-bridgeCarlos Santana
 
AWS SSA Webinar 7 - Getting Started on AWS
AWS SSA Webinar 7 - Getting Started on AWSAWS SSA Webinar 7 - Getting Started on AWS
AWS SSA Webinar 7 - Getting Started on AWSCobus Bernard
 
SEC301 - New AWS security services for container threat detection - final.pdf
SEC301 - New AWS security services for container threat detection - final.pdfSEC301 - New AWS security services for container threat detection - final.pdf
SEC301 - New AWS security services for container threat detection - final.pdfJean-François LOMBARDO
 
Running kubernetes with amazon eks
Running kubernetes with amazon eksRunning kubernetes with amazon eks
Running kubernetes with amazon eksyanaisama
 

Semelhante a Amazon EKS - security best practices - 2022 (20)

Trusted Application Delivery: Achieving Ultimate Security
Trusted Application Delivery: Achieving Ultimate SecurityTrusted Application Delivery: Achieving Ultimate Security
Trusted Application Delivery: Achieving Ultimate Security
 
LX-COMM-XX-Streamlined-deployment to Amazon EKS (1).pptx
LX-COMM-XX-Streamlined-deployment to Amazon EKS (1).pptxLX-COMM-XX-Streamlined-deployment to Amazon EKS (1).pptx
LX-COMM-XX-Streamlined-deployment to Amazon EKS (1).pptx
 
Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...
 
Fast-Track Your Application Modernisation Journey with Containers - AWS Summi...
Fast-Track Your Application Modernisation Journey with Containers - AWS Summi...Fast-Track Your Application Modernisation Journey with Containers - AWS Summi...
Fast-Track Your Application Modernisation Journey with Containers - AWS Summi...
 
[AWS Dev Day] 앱 현대화 | DevOps 개발자가 되기 위한 쿠버네티스 핵심 활용 예제 알아보기 - 정영준 AWS 솔루션즈 아키...
[AWS Dev Day] 앱 현대화 | DevOps 개발자가 되기 위한 쿠버네티스 핵심 활용 예제 알아보기 - 정영준 AWS 솔루션즈 아키...[AWS Dev Day] 앱 현대화 | DevOps 개발자가 되기 위한 쿠버네티스 핵심 활용 예제 알아보기 - 정영준 AWS 솔루션즈 아키...
[AWS Dev Day] 앱 현대화 | DevOps 개발자가 되기 위한 쿠버네티스 핵심 활용 예제 알아보기 - 정영준 AWS 솔루션즈 아키...
 
From Docker Straight to AWS
From Docker Straight to AWSFrom Docker Straight to AWS
From Docker Straight to AWS
 
Modernizing applications with Amazon EKS - MAD304 - Santa Clara AWS Summit.pdf
Modernizing applications with Amazon EKS - MAD304 - Santa Clara AWS Summit.pdfModernizing applications with Amazon EKS - MAD304 - Santa Clara AWS Summit.pdf
Modernizing applications with Amazon EKS - MAD304 - Santa Clara AWS Summit.pdf
 
AWSome Day Digital LATAM
AWSome Day Digital LATAMAWSome Day Digital LATAM
AWSome Day Digital LATAM
 
IDI 2022: Making sense of the '17 ways to run containers on AWS'
IDI 2022: Making sense of the '17 ways to run containers on AWS'IDI 2022: Making sense of the '17 ways to run containers on AWS'
IDI 2022: Making sense of the '17 ways to run containers on AWS'
 
EFS_Integration.pdf
EFS_Integration.pdfEFS_Integration.pdf
EFS_Integration.pdf
 
Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用
Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用
Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用
 
SRV409 Deep Dive on Microservices and Docker
SRV409 Deep Dive on Microservices and DockerSRV409 Deep Dive on Microservices and Docker
SRV409 Deep Dive on Microservices and Docker
 
Modernizing legacy applications with Amazon EKS - MAD301 - Chicago AWS Summit
Modernizing legacy applications with Amazon EKS - MAD301 - Chicago AWS SummitModernizing legacy applications with Amazon EKS - MAD301 - Chicago AWS Summit
Modernizing legacy applications with Amazon EKS - MAD301 - Chicago AWS Summit
 
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
 
AWS SSA Webinar 8 - Getting Started on AWS: Compute
AWS SSA Webinar 8 - Getting Started on AWS: ComputeAWS SSA Webinar 8 - Getting Started on AWS: Compute
AWS SSA Webinar 8 - Getting Started on AWS: Compute
 
Amazon EKS multi-cluster gitops-bridge
Amazon EKS multi-cluster gitops-bridgeAmazon EKS multi-cluster gitops-bridge
Amazon EKS multi-cluster gitops-bridge
 
AWS SSA Webinar 7 - Getting Started on AWS
AWS SSA Webinar 7 - Getting Started on AWSAWS SSA Webinar 7 - Getting Started on AWS
AWS SSA Webinar 7 - Getting Started on AWS
 
Durga nagaraju aws_profile
Durga nagaraju aws_profileDurga nagaraju aws_profile
Durga nagaraju aws_profile
 
SEC301 - New AWS security services for container threat detection - final.pdf
SEC301 - New AWS security services for container threat detection - final.pdfSEC301 - New AWS security services for container threat detection - final.pdf
SEC301 - New AWS security services for container threat detection - final.pdf
 
Running kubernetes with amazon eks
Running kubernetes with amazon eksRunning kubernetes with amazon eks
Running kubernetes with amazon eks
 

Mais de Jean-François LOMBARDO

Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdfJeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdfJean-François LOMBARDO
 
Yul identity in depth identity enforcement with jwap - 20200609
Yul identity in depth identity enforcement with jwap - 20200609Yul identity in depth identity enforcement with jwap - 20200609
Yul identity in depth identity enforcement with jwap - 20200609Jean-François LOMBARDO
 
Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430
Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430
Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430Jean-François LOMBARDO
 
Identiverse 2019-navigating nist sp-800-63-3 -x a-ls cheat sheets-rev20190624
Identiverse 2019-navigating nist sp-800-63-3 -x a-ls cheat sheets-rev20190624Identiverse 2019-navigating nist sp-800-63-3 -x a-ls cheat sheets-rev20190624
Identiverse 2019-navigating nist sp-800-63-3 -x a-ls cheat sheets-rev20190624Jean-François LOMBARDO
 
IdentityNorth Montreal - Furture Proof your Digital Identity strategy
IdentityNorth Montreal - Furture Proof your Digital Identity strategyIdentityNorth Montreal - Furture Proof your Digital Identity strategy
IdentityNorth Montreal - Furture Proof your Digital Identity strategyJean-François LOMBARDO
 
CPA - Introduction to Digital Identity - rev20171102
CPA - Introduction to Digital Identity - rev20171102CPA - Introduction to Digital Identity - rev20171102
CPA - Introduction to Digital Identity - rev20171102Jean-François LOMBARDO
 
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...Jean-François LOMBARDO
 
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...Jean-François LOMBARDO
 
Synposium gia quebec setting the new course for digital identity- en rev 20...
Synposium gia quebec setting the new course for digital identity- en rev 20...Synposium gia quebec setting the new course for digital identity- en rev 20...
Synposium gia quebec setting the new course for digital identity- en rev 20...Jean-François LOMBARDO
 

Mais de Jean-François LOMBARDO (9)

Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdfJeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
 
Yul identity in depth identity enforcement with jwap - 20200609
Yul identity in depth identity enforcement with jwap - 20200609Yul identity in depth identity enforcement with jwap - 20200609
Yul identity in depth identity enforcement with jwap - 20200609
 
Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430
Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430
Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430
 
Identiverse 2019-navigating nist sp-800-63-3 -x a-ls cheat sheets-rev20190624
Identiverse 2019-navigating nist sp-800-63-3 -x a-ls cheat sheets-rev20190624Identiverse 2019-navigating nist sp-800-63-3 -x a-ls cheat sheets-rev20190624
Identiverse 2019-navigating nist sp-800-63-3 -x a-ls cheat sheets-rev20190624
 
IdentityNorth Montreal - Furture Proof your Digital Identity strategy
IdentityNorth Montreal - Furture Proof your Digital Identity strategyIdentityNorth Montreal - Furture Proof your Digital Identity strategy
IdentityNorth Montreal - Furture Proof your Digital Identity strategy
 
CPA - Introduction to Digital Identity - rev20171102
CPA - Introduction to Digital Identity - rev20171102CPA - Introduction to Digital Identity - rev20171102
CPA - Introduction to Digital Identity - rev20171102
 
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
 
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
 
Synposium gia quebec setting the new course for digital identity- en rev 20...
Synposium gia quebec setting the new course for digital identity- en rev 20...Synposium gia quebec setting the new course for digital identity- en rev 20...
Synposium gia quebec setting the new course for digital identity- en rev 20...
 

Último

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Último (20)

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

Amazon EKS - security best practices - 2022

  • 1. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Community Builders Amazon EKS – Security best practices Jeff Lombardo Sr. Solution Architect, Security Specialist February 2022
  • 2. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Jeff Lombardo Senior Solution Architect / Security Specialist at AWS 17 years of expertise in Identity and Access Management, Application Security, and Data Protection Joined AWS in September 2020 My Moto: Give me a redirect URI and I will SSO the world
  • 3. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Is EKS different from K8s? Who is responsible of the security? How the service evolved? Agenda Amazon EKS in a nutshell Security best practices on EKS Are they different? Are they specific? What are the advantages? Demo How can I secure my Company Socks Shop? Starting to build with Amazon EKS Multiple resources to help you learn more
  • 4. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 4 Amazon EKS in a nutshell
  • 5. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EKS Tenets It is Kubernetes Upstream Service integrations Production workloads
  • 6. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Choose your own adventure ECS EKS EC2 Fargate EC2 Fargate Anywhere Anywhere
  • 7. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shared responsibility model for EKS
  • 8. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EKS story 2017 2018 2019 2020 2021 Theme: control plane Theme: data plane Theme: cluster ops
  • 9. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EKS highlight launches over the last year Storage and networking • Amazon EBS CSI driver • Amazon EFS CSI driver w/ dynamic provisioning • Amazon VPC CNI increased pod density • Pod-level security group • AWS load Balancer controller • Multus CNI support Tooling • AWS CDK for K8s • AWS Controllers for Kubernetes • Amazon EKS add-ons • Hosted Kubernetes console • Remote Cluster Connector • eksctl instance selector Nodes • Managed node groups custom launch templates • Karpenter node provisioning • P4d/Elastic Fabric adapter support • Parallel node group upgrades • Containerd support • Amazon EKS/AWS Fargate built-in logging Region/version expansion • Osaka region • AWS Fargate region expansion – Frankfurt, Oregon, Singapore, Sydney, Cape Town, Osaka, and Milan • Support for Kubernetes version 1.19, 1.20, 1.21 Environment expansion • Amazon EKS Distro • Amazon EKS Anywhere
  • 10. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. • AWS Certificate Manager (ACM) Private Certificate Authority • AWS Secrets Manager CSI driver • ECR signed image validation • IAM roles for Service Account v2 Amazon EKS recent launches – Security Pillar Protection mechanisms EKS improvements • IAM Cluster API management • External OIDC authentication • EKS API PrivateLink • Secrets encryption with AWS KMS • VPC CNI network policy Compliance • FedRAMP Moderate, High • DoD CC SRG 10
  • 11. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon EKS just-shipped features https://github.com/aws-controllers-k8s/community https://isovalent.com/blog/post/2021-09-aws-eks- anywhere-chooses-cilium https://aws.amazon.com/about-aws/whats-new/2022/01/amazon- guardduty-elastic-kubernetes-service-clusters/
  • 12. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. EKS Anywhere Enterprise Support Ubuntu Bottlerocket Cilium Flux All bundled components in EKS-Anywhere will have integrated support through AWS.
  • 13. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is coming up for EKS? Assessing compliance for EKS CIS standards into standard AWS security services Having an overall view of infrastructure configuration from a security perspective in a single place is valuable. kube-bench scores compliance of EKS configuration against the EKS CIS standard. However, running the EKS benchmark against EKS deployments is manual and not available through an AWS managed component. It would be great if CIS EKS could be executed and findings/results reflected back into security monitoring services—Security Hub provides a great place to aggregate findings from various systems in a single service. Changing security group of EKS master without replacing the cluster Changing the security group on the EKS master to match new requirements or threats is valuable. Unfortunately, there seems to be no way of doing this without deleting the cluster whatever through CloudFormation or the console. • Not exhaustive EKS list • Also include ECS items https://github.com/aws/containers-roadmap/
  • 14. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 14 Security best practices on EKS
  • 15. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protect Detect Respond Automate Investigate Recover Identify AWS Systems Manager AWS Config AWS Lambda Amazon CloudWatch Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub KMS IAM AWS Single Sign-On Snapshot Archive AWS CloudTrail Amazon CloudWatch Amazon VPC AWS WAF AWS Shield AWS Secrets Manager AWS Firewall Manager AWS Organizations Personal Health Dashboard Amazon Route 53 AWS Direct Connect AWS Transit Gateway Amazon VPC PrivateLink AWS Step Functions Amazon Cloud Directory AWS CloudHSM AWS Certificate Manager AWS Control Tower AWS Service Catalog AWS Well- Architected Tool AWS Trusted Advisor Resource Access manager AWS Directory Service Amazon Cognito Amazon S3 Glacier AWS Security Hub AWS Systems Manager AWS CloudFormation AWS OpsWorks Amazon Detective AWS Network Firewall Security strategy at AWS AWS Backup
  • 16. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Systems Manager AWS Config Amazon CloudWatch Amazon Inspector Amazon GuardDuty KMS IAM Snapshot AWS CloudTrail Amazon CloudWatch Amazon VPC AWS WAF AWS Shield AWS Secrets Manager AWS Firewall Manager AWS Transit Gateway Amazon VPC PrivateLink AWS Certificate Manager AWS Security Hub AWS Systems Manager AWS Network Firewall Linux capabilities Pod Security Standards Policy as code Pod Security Admission AWS App Mesh CNI Network Policy Amazon Elastic Block Store Amazon Elastic File System AWS Backup Amazon FSx for Lustre CSI EKS integrated AWS service Container function support AWS Artifact Security strategy at AWS with EKS Protect Detect Respond Automate Investigate Recover Identify
  • 17. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. One place to go 17 https://aws.github.io/aws-eks-best-practices/security/docs/ And more, with guidance on Cluster Autoscaling, Reliability, and Windows Containers
  • 18. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. More granularity on Identity Management 18 EC2 Instance Business Logic #1 Business Logic #2 IMDSv2 endpoint Amazon S3 bucket Amazon RDS Role
  • 19. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. More granularity on Identity Management 19 EC2 Instance Business Logic #1 Business Logic #2 IMDSv2 endpoint Amazon S3 bucket Amazon RDS EC2 Instance Role EC2 Instance (worker node) IMDSv2 endpoint EC2 Instance Role Amazon Elastic Container Registry Amazon S3 bucket Amazon RDS Service Account Role Service Account Role Business Logic #1 Business Logic #2
  • 20. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Public subnet Private subnet More granularity on Network Protection 20 EC2 Instance Security group EC2 Instance Security group Business Logic #1 Business Logic #2 VPC Network ACL
  • 21. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Public subnet Private subnet More granularity on Network Protection 21 EC2 Instance Security group EC2 Instance Security group Business Logic #1 Business Logic #2 VPC Network ACL EC2 Instance (worker node) Business Logic #1 Business Logic #2 Security group Security group Public subnet Private subnet Network ACL VPC ENI ENI Network Policy
  • 22. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 22 Demo
  • 23. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Public subnet Demo context 23 Application load balancer EC2 Instance (worker nodes) Network ACL VPC Internet gateway AWS Cloud Amazon RDS (Product catalog) User Security group Front- end Order Shipping Queue Client Order db Payment User User db Cart Cart db Catalogue https://github.com/microservices-demo
  • 24. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Objectives 24 Change CNI to Calico Implement Calico Network Policy Trigger GuardDuty events
  • 25. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. All pods communicate with all pods >kubectl exec --stdin --tty user-6b45cf8b6d-djjg2 -n shop – sh / $ telnet payment 80 POST /paymentAuth HTTP/1.1 Host: payment Content-Type: application/json; charset=utf-8 Content-Length: 36 {"Amount":100,"Account":12321425478} HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Date: Tue, 08 Feb 2022 21:59:04 GMT Content-Length: 51 {"authorised":true,"message":"Payment authorised"} Our USER pod dedicated to authentication can send payment requests to the PAYMENT pod
  • 26. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enforce Calico Network Policies on Payment pod >kubectl calico apply -f default-deny.yaml -n octank -- config=calico.cfg.yaml --allow-version-mismatch > kubectl calico apply -f allow-network-policies.yaml -- config=calico.cfg.yaml --allow-version-mismatch Security Groups for Pods vs K8s Network Policy vs Calico Network Policy What are the differences? 1. Deny all traffic 2. Then allow specific traffic 3. Be mindful statelessness
  • 27. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Check the control >kubectl exec --stdin --tty user-6b45cf8b6d-djjg2 -n shop – sh / $ telnet payment 80 POST /paymentAuth HTTP/1.1 Host: payment Content-Type: application/json; charset=utf-8 Content-Length: 36 {"Amount":100,"Account":12321425478} HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Date: Tue, 08 Feb 2022 21:59:04 GMT Content-Length: 51 Time out…. You can now prevent lateral movement
  • 28. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 28 How to learn more
  • 29. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Other security news for Amazon EKS https://aws.amazon.com/about-aws/whats- new/2022/01/acm-kubernetes-cert-manager-plugin- production/ https://aws.amazon.com/about-aws/whats- new/2021/12/eks-add-ons-ebs-csi-driver/
  • 30. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Re:Invent 2021 recap 30 https://www.youtube.com/watch?v=Q3Uj1rsmFLw https://www.youtube.com/watch?v=V8DidcYmNmU
  • 31. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. EKS workshops https://www.eksworkshop.com/ 31 Beginner • AWS IAM groups for cluster Access • AWS IAM roles for Services Accounts • Security groups for pods • Network Policies • Secure Secrets management Intermediate • CI/CD pipeline • Logging with Amazon OpenSearch • Open Policy Agent • AWS App Mesh Advanced • Service mesh with Istio • Machine Learning with Kubeflow • Machine learning with Amazon EMR
  • 32. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you! 32 Please, don’t forget to fill the survey for this session: <your link>