Securing EKS Cluster: Lessons Learned from EKS Cluster Games

Securing EKS Cluster: Lessons Learned from EKS Cluster Games

This blog post includes the security issues shown in the EKS Cluster games and how to secure them by including the Best Practices for securing the EKS cluster.

EKS Cluster Games

The EKS cluster game is the challenge created by the Wiz Research team to help others learn about the misconfigurations and security issues in Amazon EKS. The challenges include the scenario of Accessing Secrets, Pulling Images from Private Registries, Inspecting Image Layers, Exploiting Service Accounts, and Escalating Privileges.

Security for AWS EKS

Amazon EKS security is a shared responsibility between AWS and the customer. AWS is responsible for the security of the cloud, while the customer is responsible for the security of the cloud. EKS mainly consists of two components: the control plane and the data plane. The control plane includes the API server, etcd, and controllers, while the data plane includes the worker nodes, pods, and services.

Control plane: The control plane is the brain of the cluster and manages the cluster state and configuration.

Data Plane: The data plane is the muscle of the cluster and runs the actual workloads.

The workloads deployed by the customers can contain issues/ vulnerabilities and can be attacked, it is the responsibility of the client to prevent the initial access to the workload. For this, we may use AWS WAF, and other security requirements and attach it to the ALB being used. The security posture of the cluster and the workloads can also be monitored and audited by using AWS security services, such as GuardDuty, Inspector, and Security Hub. Additionally, they can also be manually tested by tools like kube-hunter, kube-scan, etc.

Best Practices for securing the EKS cluster

  • Use encryption at rest for Kubernetes secrets using AWS Secrets Manager or other third-party tools like HashiCorp Secrets for managing the secrets securely.

  • Do not ever run containers in privileged mode

  • Regularly scan container images and check/ fix any potential security issues

  • Always install the images from trusted sources

  • Limit the permissions of service accounts

  • Make use of IAM roles for service accounts (IRSA) to securely associate IAM roles with Kubernetes service accounts.

  • Follow the CIS Benchmark for Kubernetes using kube-scan to ensure the secure configuration of cluster and nodes

  • Use a bastion host to access worker nodes (if ever required)