Threat Detection on EKS – Comparing Falco and GuardDuty For EKS Protection

This page summarizes the projects mentioned and recommended in the original post on dev.to
AWS Containers Kubernetes Roadmap Cncf

InfluxDB - Power Real-Time Data Analytics at Scale
Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured

  • terraform-provider-aws

    The AWS Provider enables Terraform to manage AWS resources.

    • GuardDuty Kubernetes protection is not enabled by default. Accounts that are in an AWS Organization can enable the feature through the GuardDuty delegated administrator account, or the detector can be updated on an individual account. Terraform support is pending at the time of writing, while Cloudformation and CDK support is fully implemented.

  • containers-roadmap

    This is the public roadmap for AWS container services (ECS, ECR, Fargate, and EKS).

    • EKS can be configured to allow anonymous access to its control plane (relevant GitHub Issue on AWS Containers Roadmap here). This configuration should almost never exist. This is an excellent "low-hanging fruit" detection provided by EKS GuardDuty upon that access being configured:

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • plugins

    Falco plugins registry (by falcosecurity)

    • Existing Falco rules can be disabled or modified. New supplemental rules can be written to detect environment specific use cases. Falco is not just limited to Kubernetes syscalls or audit logs - recently Falco released a plugin capability, allowing Falco to be extended to consume additional event sources. One such example of this is the AWS CloudTrail Plugin.

  • falcosidekick

    Connect Falco to your ecosystem

    • Falco can emit its findings to stdout, a file, syslog, or custom endpoints with "Program Output" using bash. Alternatively, Falcosidekick is an extra app that receives Falco alerts from multiple clusters and forwards them to a variety of outputs concurrently. Falcosidekick has a large number of custom destinations, so it may reduce the need to write custom integrations for existing destinations like a SIEM.

  • falco

    Cloud Native Runtime Security

    • Falco, a CNCF project, is a common open source tool used to perform similar threat detection capabilities within Kubernetes clusters. Falco monitors system calls from the Linux kernel for the majority of its analysis. It is also preloaded with community maintained rule sets.

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo
NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • Announcing pull through cache for registry.k8s.io in Amazon Elastic Container Registry

    3 projects | /r/kubernetes | 2 Jun 2023

  • Automatically tag your Docker images as vulnerable in ECR

    3 projects | dev.to | 19 Jun 2022

  • EKS, grupos IAM, "dono do cluster" e system:masters

    2 projects | dev.to | 2 Feb 2022

  • The Road To Kubernetes: How Older Technologies Add Up

    5 projects | dev.to | 5 Feb 2024

  • Fun with Avatars: Containerize the app for deployment & distribution | Part. 2

    4 projects | dev.to | 20 Jan 2024