Introduction:
Amazon GuardDuty offers extended coverage, allowing for ongoing monitoring and profiling of Amazon EKS cluster activities.
This involves identifying any potentially harmful or suspicious behavior that could pose threats to container workloads. The EKS Protection feature within Amazon GuardDuty delivers threat detection capabilities specifically designed to safeguard Amazon EKS clusters within your AWS setup.
This protection encompasses two key components: EKS Audit Log Monitoring and EKS Runtime Monitoring.
In this blog post, we'll explore how Amazon GuardDuty can help you enhance the security of your EKS clusters, providing you with the tools and insights needed to keep your Kubernetes infrastructure safe and secure.
Amazon GuardDuty:
Amazon GuardDuty is a managed threat detection service that uses a combination of machine learning, anomaly detection, and integrated threat intelligence to identify, flag, and prioritize potential threats.
In January 2022 its capabilities were expanded to include Amazon EKS.
Key features include:
- No additional software is required to make it run.
- Continuous 24/7 monitoring of your AWS implementation without added cost or complexity.
- Global coverage.
- A system that monitors everything in your account and infrastructure level, alerting you of any anomaly behavior.
- An intuitive automatic threat severity level to help cybersecurity specialists prioritize potential threats.
EKS Protection includes EKS Audit Log Monitoring and EKS Runtime Monitoring .
EKS Audit Log Monitoring: EKS Audit Log Monitoring helps you detect potentially suspicious activities in EKS clusters within Amazon Elastic Kubernetes Service (Amazon EKS). EKS Audit Log Monitoring uses Kubernetes audit logs to capture chronological activities from users, applications using the Kubernetes API, and the control plane. For more information, see Kubernetes audit logs.
EKS Runtime Monitoring: EKS Runtime Monitoring uses operating system-level events to help you detect potential threats in Amazon EKS nodes and containers within your Amazon EKS clusters. For more information, see Runtime Monitoring.
Enable Amazon GuardDuty for EKS:
Run the following command to enable Amazon GuardDuty and then also enable EKS Protection for both EKS Audit Log Monitoring and EKS Runtime Monitoring.
config.json:
[
{
"Name": "EKS_AUDIT_LOGS",
"Status": "ENABLED",
"Name": "EKS_RUNTIME_MONITORING",
"Status": "ENABLED",
"AdditionalConfiguration": [
{
"Name": "EKS_ADDON_MANAGEMENT",
"Status": "ENABLED"
}
]
}
]
Run the below command to enable EKS Protection for Amazon GuardDuty.
aws guardduty create-detector --enable --features file://config.json | jq -r '.DetectorId')
After EKS Protection in Amazon GuardDuty is enabled, it looks like below in the AWS GuardDuty Console:
Go to Findings. You should see there are no findings available yet.
GuardDuty Findings are automatically sent to EventBridge. You can also export findings to an S3 bucket. New findings are exported within 5 minutes. You can modify the frequency for updated findings below. Update to EventBridge and S3 occurs every 6 hours by default. Let us change it to 15 mins.
Go to the Settings --> Findings export options and Click on the Edit.
Select 15 minutes and Click on Save Changes.
With Amazon GuardDuty already turned on with protection for your EKS clusters, you are now ready to see it in action. GuardDuty for EKS does not require you to turn on or store EKS Control Plane logs. GuardDuty can look at the EKS cluster audit logs through direct integration.
It will look at the audit log activity and report on the new GuardDuty finding types that are specific to your Kubernetes resources.
Conclusion:
In summary, Amazon GuardDuty delivers advanced security for Amazon EKS. With features like EKS Audit Log Monitoring and EKS Runtime Monitoring, it offers top-notch protection against potential threats.
By integrating GuardDuty, you ensure continuous monitoring and quick mitigation of security risks, maintaining a secure environment for your container workloads.