Blog

How Amazon GuardDuty can help keep Amazon EKS secure
Photo by Saifeddine Rajhi

How Amazon GuardDuty can help keep Amazon EKS secure

ā€¢ 3mins read
  • Amazon EKS
  • GuardDuty
  • Kubernetes security
  • threat detection

    Content

    Top-Notch Protection for EKS with Amazon GuardDuty

    šŸ“š Introduction

    Amazon GuardDuty offers extended coverage, allowing for ongoing monitoring and profiling of Amazon EKS cluster activities.

    This involves identifying any potentially harmful or suspicious behavior that could pose threats to container workloads. The EKS Protection feature within Amazon GuardDuty delivers threat detection capabilities specifically designed to safeguard Amazon EKS clusters within your AWS setup.

    This protection encompasses two key components: EKS Audit Log Monitoring and EKS Runtime Monitoring.

    In this blog post, we'll explore how Amazon GuardDuty can help you enhance the security of your EKS clusters, providing you with the tools and insights needed to keep your Kubernetes infrastructure safe and secure.

    šŸ›”ļø Amazon GuardDuty

    Amazon GuardDuty is a managed threat detection service that uses a combination of machine learning, anomaly detection, and integrated threat intelligence to identify, flag, and prioritize potential threats.

    In January 2022, its capabilities were expanded to include Amazon EKS. Key features include:

    • No additional software required: Runs without the need for extra software.
    • Continuous 24/7 monitoring: Monitors your AWS implementation without added cost or complexity.
    • Global coverage: Provides worldwide protection.
    • Comprehensive monitoring: Monitors everything in your account and infrastructure, alerting you of any anomalous behavior.
    • Intuitive threat severity levels: Helps cybersecurity specialists prioritize potential threats.

    EKS Protection includes EKS Audit Log Monitoring and EKS Runtime Monitoring.

    šŸ” EKS Audit Log Monitoring

    EKS Audit Log Monitoring helps you detect potentially suspicious activities in EKS clusters within Amazon Elastic Kubernetes Service (Amazon EKS). It uses Kubernetes audit logs to capture chronological activities from users, applications using the Kubernetes API, and the control plane. For more information, see Kubernetes audit logs.

    šŸ› ļø EKS Runtime Monitoring

    EKS Runtime Monitoring uses operating system-level events to help you detect potential threats in Amazon EKS nodes and containers within your Amazon EKS clusters. For more information, see Runtime Monitoring.

    GuardDuty EKS

    šŸš€ Enable Amazon GuardDuty for EKS

    Run the following command to enable Amazon GuardDuty and then also enable EKS Protection for both EKS Audit Log Monitoring and EKS Runtime Monitoring.

    config.json:

    [
        {
            "Name": "EKS_AUDIT_LOGS",
            "Status": "ENABLED",
            "Name": "EKS_RUNTIME_MONITORING",
            "Status": "ENABLED",
            "AdditionalConfiguration": [
                {
                    "Name": "EKS_ADDON_MANAGEMENT",
                    "Status": "ENABLED"
                }
            ]
        }
    ]

    Run the below command to enable EKS Protection for Amazon GuardDuty.

    aws guardduty create-detector --enable --features file://config.json | jq -r '.DetectorId'

    After EKS Protection in Amazon GuardDuty is enabled, it looks like below in the AWS GuardDuty Console:

    GuardDuty Console

    Go to Findings. You should see there are no findings available yet.

    No Findings

    GuardDuty Findings are automatically sent to EventBridge. You can also export findings to an S3 bucket. New findings are exported within 5 minutes. You can modify the frequency for updated findings below. Update to EventBridge and S3 occurs every 6 hours by default. Let us change it to 15 mins.

    Go to the Settings --> Findings export options and click on Edit.

    Edit Settings

    Select 15 minutes and click on Save Changes.

    Save Changes

    With Amazon GuardDuty already turned on with protection for your EKS clusters, you are now ready to see it in action. GuardDuty for EKS does not require you to turn on or store EKS Control Plane logs. GuardDuty can look at the EKS cluster audit logs through direct integration.

    It will look at the audit log activity and report on the new GuardDuty finding types that are specific to your Kubernetes resources.

    šŸ Conclusion

    In summary, Amazon GuardDuty delivers advanced security for Amazon EKS. With features like EKS Audit Log Monitoring and EKS Runtime Monitoring, it offers top-notch protection against potential threats.

    By integrating GuardDuty, you ensure continuous monitoring and quick mitigation of security risks, maintaining a secure environment for your container workloads.

    References:


    Until next time, ć¤ć„ć šŸŽ‰

    šŸ’” Thank you for Reading !! šŸ™ŒšŸ»šŸ˜šŸ“ƒ, see you in the next blog.šŸ¤˜ Until next time šŸŽ‰

    šŸš€ Thank you for sticking up till the end. If you have any questions/feedback regarding this blog feel free to connect with me:

    ā™»ļø LinkedIn: https://www.linkedin.com/in/rajhi-saif/

    ā™»ļø X/Twitter: https://x.com/rajhisaifeddine

    The end āœŒšŸ»

    šŸ”° Keep Learning !! Keep Sharing !! šŸ”°

    šŸ“… Stay updated

    Subscribe to our newsletter for more insights on AWS cloud computing and containers.