Protect Kubernetes Containers on AWS Using the Shared Responsibility Model
Editor’s note: This post was updated on August 17, 2022
Deploying an AWS container security solution is a critical requirement to protect your data and assets running on AWS, including EC2, EKS, ECS, Kubernetes, or RedHat OpenShift. In its ‘Shared Responsibility Model,’ AWS states that the security responsibility is shared between AWS and the customer, you. ‘Security of the cloud’ is the responsibility of AWS, while ‘Security in the cloud’ is the customer’s responsibility. If you have sensitive data, critical business applications, or valuable assets to protect, deploying an AWS container security solution such as NeuVector will provide the defense in depth required for ‘Security in the cloud.’ Let’s take a look at these additional security controls required and how they can be provided by NeuVector.
In the diagram above, the AWS Shared Responsibility Model defines that security ‘of’ the cloud, which is essentially all of the infrastructure assets, is provided by AWS. Security of anything running on top of the infrastructure is the responsibility of the customer. This includes protecting data, orchestration platforms, identify and access management, and even the proper monitoring and configuration of AWS provided operating systems, networks and firewalls.
AWS Container Security for ‘In’ the Cloud Protection
Let’s take a look at these individually to translate what each means for the container and Kubernetes security for which customers are responsible.
- Customer Data. Ultimately, customers are responsible for protecting their data, whether it’s data in motion (transit) or at rest (stored). Various security controls combine to protect data such as encryption, network firewalls and inspection, run-time security and other defense in depth measures. Application security and Identify/Access Management (below) are also critical to prevent unauthorized access to data.
- Platforms. Platforms such as Kubernetes, Red Hat OpenShift and Docker can be vulnerable to attacks. When managing the entire orchestration platform on EC2 instances the customer is responsible for monitoring and protecting it. When using managed services such as EKS, the customer is responsible for the worker node components including application and system containers, while AWS is responsible for the master nodes and critical system containers running on it such as the Kubernetes api-server.
- Applications. This is a big one. Protecting applications from vulnerability exploits, zero-day attacks, application layer threats such as sql injection, embedded malware and so on is ultimately the customer responsibility. Not only can a successful attack lead to a data breach, it can also bring down critical applications or provide a stepping stone for expanding the attack to other assets.
- Identity and Access Management. First, securing access to critical AWS resources can prevent insider attacks. Second, properly configuring RBACs to orchestration platforms such as Kubernetes and other critical customer managed tools can prevent breaches such as the Tesla breach of a Kubernetes console. Lastly, RBAC controls in security tools such as NeuVector should be integrated to the overall IAM architecture.
- OS, Network, Firewall Configuration. There are multiple possible entry points for attackers, from the operating system host to the network. Properly configuring OS, network and firewalls (both the AWS provided security groups and the NeuVector container firewall) and continuously auditing these will reduce the attack surface.
- Client Side and Server Side Data Encryption, Data Integrity, Authentication. Enforcement of encrypted connections to transmit data between clients and servers and encryption of any data at rest protects against data theft and is required for industry compliance regulation such as PCI-DSS. Data integrity means not only of customer data but software images used in container deployments. Authentication is focused mainly on client application access (externally facing containers for example) but can extend to micro-service based authentication (see Network segmentation below).
- Network Traffic Protection, Segmentation. A container or Kubernetes network is a primary target of hackers and provides the means to initiate and expand an attack as well as to steal data. Protecting network traffic requires a true cloud-native network firewall that automatically scales as containers scale but provides traditional network threat prevention (DDoS, SQL injection, DNS tunneling etc), layer 7 network segmentation, packet capturing, and deep packet inspection with DLP.
At a higher level, ‘security in the cloud’ means that customers are responsible for:
- Compliance and Auditing. Industry compliance for PCI, GDPR, HIPAA, NIST and other regulations, including internal ones remain the responsibility of the customer.
- Run-Time Security. Detecting and preventing attacks in production environments are ultimately the customer’s responsibility. Explaining to authorities that a PII breach went undetected because AWS failed to prevent or notify you of it is not going to be acceptable.
- Automation Security. Container deployment CI/CD pipelines, auto-scaling policies, and on-demand infrastructures are being automated with security as code and infrastructure as code. These critical assets need to be secured throughout their lifecycle to prevent attackers from targeting this new attack surface.
SUSE NeuVector Provides the AWS Container ‘Security In the Cloud’ Needed
Security should be integrated into the entire CI/CD pipeline and extended all the way into production. The open source, full lifecycle security solution of NeuVector starts with vulnerability and compliance scanning in the build and registry phases of the pipeline and continues with admission controls and zero-trust run-time security to provide defense in depth.
- Customer Data. Using deep packet inspection (DPI), NeuVector data loss prevention (DLP) can monitor network payloads to detect and block sensitive data including credit cards, social security numbers and other PII. Other security controls listed below provide defense in depth for protecting customer data.
- Platforms. Whether it’s Kubernetes, Rancher, OpenShift, EKS, ECS or other platforms, NeuVector monitors all platform system containers, scans for vulnerabilities, and runs the CIS benchmarks to audit platform configurations.
- Applications. The full lifecycle vulnerability management and run-time security solution ensure that vulnerabilities are remediated in the pipeline and that applications are protected once they are in production. The run-time security protections are automatically created for each application and define allowed behavior to implement Zero Trust controls such as process, network connections and file activity for each container. Zero drift protection for each workload automatically locks down any process and file activity allowed in every container. In addition, web application firewall (WAF) protections can be applied to any web-based application workload.
- Identity and Access Management. Compliance checks, including CIS benchmarks for Kubernetes, OpenShift, and Docker, as well as customized checks on containers and hosts, ensure the proper configuration of RBACs. An additional review of AWS IAM roles and permissions should be conducted as well to protect access to critical AWS resources.
- OS, Network, Firewall Configuration. Compliance checks, including CIS benchmarks for Kubernetes, OpenShift, and Docker, as well as customized checks on containers and hosts ensure proper configuration. Host OS process monitoring and vulnerability scans reduce the risk of exploitation of the OS. The unique NeuVector layer 7 container firewall provides automated, container-native network protections for east-west as well as ingress-egress network connections.
- Client Side Data Encryption etc. Client-server network segmentation and enforcement of SSL/TLS connections to containers is provided by the layer 7 firewall in NeuVector. In addition, if a service mesh such as Istio or AWS App Mesh is used for network encryption, NeuVector is still able to provide DLP, network inspection and threat detection.
- Server Side Encryption. While NeuVector does not provide file or database encryption, the DLP inspection can ensure that any data transmitted from a database or file system is encrypted. Another SUSE open source project, Longhorn, can provide data encryption for Kubernetes cluster-based storage volumes. Third party container data encryption solutions such as Portworx are provided on the AWS Marketplace.
- Network Traffic Protection, Segmentation. The unique NeuVector layer 7 container firewall provides automated Zero Trust, container-native network protections for east-west as well as ingress-egress network connections. Unauthorized connections can be blocked, packet captures taken on suspicious containers, and traffic inspected even if encrypted by a service mesh such as AWS App Mesh.
AWS and NeuVector Security Controls Working Together
Together, AWS and NeuVector provide the security ‘in the cloud’ and ‘of the cloud’ required for full lifecycle cloud-native security and defense in depth for container deployments on EC2, EKS, ECS, and other public cloud services. Compliance, auditing, run-time security, and automation security are made possible with tools such as the NeuVector container security platform. Given the use of relatively new technologies such as Kubernetes and the rapid evolution of these technologies, the risk of attackers gaining a foothold in production container deployments is high. However, with the defense in depth provided by AWS and NeuVector, these attacks can not only be prevented at the outset but detected and prevented in subsequent activity should hackers gain entry into your critical infrastructure.