Overview
The Automat-it Secure EKS Solution is a fully automated solution for creating AWS cloud infrastructure and CI/CD process for Kubernetes workloads according to the best security practices. Based on the shared responsibility model we are responsible for the security in the cloud. Even though the EKS control plane is secure itself, we need to cover many other things, for example, encryption at rest and in transit, traffic control, network security, the least privilege principle, logging, accountability, etc.
Along with securing Kubernetes applications, we need to think about data storage security, monitoring, cost-optimization, and CI/CD process. All these aspects are covered in the Automat-it Secure EKS Solution.
Automat-it’s solution implements AWS best practices using cloud-native services such as EKS, ECR, KMS, ELB, WAF, CloudFront, RDS, ElastiCache, CloudWatch, OpenSearch, CloudTrail, SSM, Inspector, GuardDuty, ACM, AWS Config and infrastructure as code tool Terraform to provide an ability to provision the whole infrastructure within several hours and easily manage it in the future. The solution also provides a standard CI/CD process for the Kubernetes application that includes building a Docker container, performing security tests, and deploying an application via Helm.
It caters to organizations looking to adhere to strict internal security, governance, and compliance standards, as well as a fast-release process and cost-optimized cloud environment.
Automat-it Secure EKS Benefits
- Multi-layer security, such as networking, encryption, least privilege principle, logging, and accountability.
- Full automation with Terraform and Jenkins.
- Many different components and possible options allow us to assemble the right solution for various organizations and products and cover all needs.
- Can be integrated with Palo Alto Prisma Cloud.
- Cost optimization for cloud infrastructure.
- Fast provisioning and easy use.
- Customization by request.
- Can be partially or fully integrated with systems that are already in use.
Solution Scope
Networking
There is a dedicated 3-tier VPC for every environment. It is recommended that every environment is provisioned in a separate AWS account. Management VPC contains a VPN solution and other shared resources, e.g. Jenkins server. Application environments are connected to the Management VPC via Transit Gateway. Application environments don’t have networking connectivity with each other. Data storage (RDS, ElastiCache, Redshift, etc.) is deployed into DB subnets, and EKS control plane and nodes are deployed into Private subnets. If an application requires a public endpoint, it will be exposed via a Load balancer, which is deployed into the Public subnet. Security groups are used to control connectivity between different layers of the network.
Kubernetes cluster
Amazon Elastic Kubernetes Service is a managed service that is used as a control plane. It is deployed according to the best practices for a high level of security and availability. Kubernetes nodes are deployed separately in auto-scaling groups according to application requirements. Nodes can handle CPU or GPU workloads and can have a different OS, e.g. BottleRocket, Amazon Linux, or others. Nodes are encrypted and permissions are limited according to the least privilege principle. EKS Nodes and Docker images can be continuously scanned for software vulnerabilities and unintended network exposure by Amazon Inspector. Network connectivity is controlled by security groups and in some cases by service mesh “AWS App Mesh”. Activities in the EKS cluster are logged and analyzed by GuardDuty for possible threats. Application pods and EKS nodes can scale in and out according to the load.
Data storage
Different types of data storage can be easily and quickly provisioned according to the application’s needs. It can be SQL (e.g. MySQL, PostgreSQL, MSSQL, Oracle) or NoSQL (e.g. MongoDB) database, key-value storage (e.g. DynamoDB, Redis), object or block storage. Data storage is deployed according to the best security practice, highly-available and continuously updated, backed up, and monitored. Access to data storage is limited. Data is encrypted at rest and in transit.
Encryption
Data and traffic are encrypted at all levels where it is required by a specific organization or compliance standard. All storage, volumes, and backups are encrypted by default. AWS Key Management Service (AWS KMS) is used for managing symmetric and asymmetric encryption keys. Keys are securely stored and continuously rotated. The majority of AWS services are natively integrated with KMS. AWS Certificate Manager is used for provisioning and managing SSL/TLS certificates. Load balancers, CloudFront distributions, and API gateways are natively integrated with ACM. Certificates are renewed automatically.
Logging and monitoring
Most AWS services have logging of different types of verbosity. AWS API calls are logged by AWS CloudTrail, Data storage and EKS control plane collect activity logs, Load Balancers, API gateways, and CloudFront distributions collect access logs, IP traffic is logged by VPC Flow Logs, and DNS queries are logged by Route53. Application logs are collected by Fluent Bit. All logs are stored in centralized, secure, and highly-available storage, e.g. CloudWatch or Amazon Opensearch, where they can be visualized and analyzed. Monitoring metrics from infrastructure and applications can be sent to CloudWatch or Prometheus for aggregation, analysis, and alerting.
CI/CD
Standard CI/CD process for a Kubernetes application includes scanning application code, building Docker image, scanning Docker image and pushing it to ECR, deploy/updating an application via Helm.
CI/CD workflow:
High-Level CI/CD implementation diagram:
High-level infrastructure architecture diagram:
Palo Alto Prisma Cloud
Prisma Cloud is integrated with AWS accounts, Kubernetes applications, and the CI/CD process and continuously monitors the security and compliance of many different layers, including following best security practices, alerting about suspicious activity and software vulnerabilities, helping to avoid bad practices in the development process.
We performed a security scan for different standards and got a result of 95%+
Pricing
The solution is sold with a one-time setup fee based on the generic configuration and built-in capabilities, the customer can choose to use Automat-it’s professional services to create custom DevOps adjustments based on the company needs and Automat-it’s managed service for ongoing security updates, maintenance, and performance monitoring.
Conclusion
Automat-it as a Premier AWS partner, AWS Well-Architected Partner, and Kubernetes Certified Service Provider developed the Secure EKS Solution using all our experience and skills. The Automat-it Secure EKS Solution helps organizations to build AWS cloud infrastructure for containerized applications quickly and securely. We assemble the environment from many available building blocks (Terraform modules and automation scripts), depending on the customer’s needs, and provide competent expertise in further support.
