Enhancing Security of EKS Clusters with kube-bench and kube-hunter
Client Industry: Leading Digital Enterprise
Our Role: DevSecOps Consultancy
The Challenge
One of our professional services clients heavily reliant on Kubernetes for container orchestration, required an efficient way to continuously scan AWS EKS clusters for vulnerabilities and misconfigurations. We faced the challenge of finding a solution that would provide actionable insights to improve their Kubernetes security posture while aligning those insights to CIS Benchmarks.
The Solution
We identified AquaSec kube-bench and kube-hunter as two promising tools that would help.
kube-bench is a tool that checks whether Kubernetes is deployed securely by running the CIS Kubernetes Benchmark tests. It tests against a set of Kubernetes security best practices to ensure that the cluster is configured to minimise the risk of a security breach. The tool produces a detailed report on the results of each test, highlighting any areas of weakness or vulnerabilities.
kube-hunter is an open-source tool that hunts for security weaknesses in Kubernetes clusters. It tests for common vulnerabilities such as exposed credentials, outdated software, and potential attack vectors. kube-hunter provides a detailed report on the results of each test, highlighting any areas of vulnerability that need to be addressed.
We implemented a nightly scheduled CICD pipeline that used cross-account trust relationships with AWS IAM to connect to the downstream EKS clusters via kubectl and run kube-bench and kube-hunter. The pipeline executed these tools on each of the client's EKS clusters and stored the results in a secure and versioned location for further analysis. We also set up alerts to notify the client's security team if any critical vulnerabilities were detected.
The Impact
By implementing this pipeline, we were able to continuously monitor the security of the client's EKS clusters and quickly identify potential security weaknesses. The pipeline helped us identify several areas of vulnerability, including insecure pod configurations, overly privileged container definitions. We were able to remediate these vulnerabilities quickly and improve the security posture of our EKS clusters.
The pipeline continues to run nightly and has become an integral part of the security monitoring and remediation process.
To learn more about our our approach to DevSecOps and Secure Core Engineering, head here.
Or book a callback using the button below, and let's talk.
