Security is one of the top priorities for stack.io and our clients. We understand that cloud migration exposes applications to new vulnerabilities. However, based on the results of the 2019 SANS State of Cloud Security survey, many of the security threats are manageable through proper infrastructural setup. The author of the survey, Dave Shackleford, attributes the root of cloud risk to a lack of planning and communication.
“People go to the cloud without a plan. They lack governance or even conversations within the organizations,” he told TechTarget. Also in an interview with TechTarget, Tony Buffomante, cybersecurity global co-leader for KPMG, agreed with Shackleford, explaining that in-house team member(s) responsible for security often do not have the wide breadth of knowledge necessary to ensure security end-to-end because there is no single tool or process that guarantees a secure infrastructure.
When it comes to the cloud, particularly Amazon EKS, our team of public cloud infrastructure consultants implements the industry best practices in our infrastructure to reduce the burden on your in-house team member(s) responsible for security.
In a blog post, Karen Bruner summarizes her Bay Area AWS Community Day talk on Amazon EKS Security Best Practices. Bruner breaks down her best practices into four categories:
Cluster Design
Cluster Networking
Secure Container Images
Pod Runtime Security
Some of the best practices we want to highlight from Bruner’s talk include:
Adoption of network isolation practices so kubernetes nodes aren’t exposed to the public internet
Installation of Calico CNI to enforce intra-cluster network policies and limit communication between services in different namespaces
Implementation of role-based access controls for admins, developers, and other types of staff
Integration of kube2iam to protect and reduce the number of services that require IAM credentials
Deployment of container images from trusted repositories
Alongside with the above suggestions by Bruner, here are two additional ways that stack.io maintains the security of your application.
SSH Keys
To ensure the principle of least privilege (PILP), our public cloud infrastructure consultants use SSH keys to limit access to virtual machine (VM) that only need occasional access for maintenance.
When setting up new Kubernetes nodes, we set up SSH keys and implement other server hardening practices using a local Ansible script. These hardening practices include automated security patching of machines, installation of updated versions of Kubernetes/Databases, and more.
When a user wants to access a VM to perform maintenance, they SSH to the machine over a VPN and use their SSH key to authenticate with the server.
An audit log keeps track of all login attempts, allowing the server to ban any users who fail to authenticate correctly over a specified threshold.
Polaris
Our public cloud infrastructure consultants can optionally set up Rubrik Polaris to validate security best practices on your cluster. Polaris allows us to configure automatic checks for deployment best practices including Security Context, Security Capabilities, and Privileges.
For example, we can automate Polaris to pause or stop deployment of your latest updates if the Polaris check does not pass the minimum number of security checks. The solution is customizable, so we can help your team determine what the thresholds and checks you should have for your web application.
Want to deploy your app via Kubernetes on AWS? Send us a message and we’ll be in touch.