-
containers-roadmap
This is the public roadmap for AWS container services (ECS, ECR, Fargate, and EKS).
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
GuardDuty Kubernetes protection is not enabled by default. Accounts that are in an AWS Organization can enable the feature through the GuardDuty delegated administrator account, or the detector can be updated on an individual account. Terraform support is pending at the time of writing, while Cloudformation and CDK support is fully implemented.
EKS can be configured to allow anonymous access to its control plane (relevant GitHub Issue on AWS Containers Roadmap here). This configuration should almost never exist. This is an excellent "low-hanging fruit" detection provided by EKS GuardDuty upon that access being configured:
Existing Falco rules can be disabled or modified. New supplemental rules can be written to detect environment specific use cases. Falco is not just limited to Kubernetes syscalls or audit logs - recently Falco released a plugin capability, allowing Falco to be extended to consume additional event sources. One such example of this is the AWS CloudTrail Plugin.
Falco can emit its findings to stdout, a file, syslog, or custom endpoints with "Program Output" using bash. Alternatively, Falcosidekick is an extra app that receives Falco alerts from multiple clusters and forwards them to a variety of outputs concurrently. Falcosidekick has a large number of custom destinations, so it may reduce the need to write custom integrations for existing destinations like a SIEM.
Falco, a CNCF project, is a common open source tool used to perform similar threat detection capabilities within Kubernetes clusters. Falco monitors system calls from the Linux kernel for the majority of its analysis. It is also preloaded with community maintained rule sets.
Related posts
-
Announcing pull through cache for registry.k8s.io in Amazon Elastic Container Registry
-
Automatically tag your Docker images as vulnerable in ECR
-
EKS, grupos IAM, "dono do cluster" e system:masters
-
The Road To Kubernetes: How Older Technologies Add Up
-
Fun with Avatars: Containerize the app for deployment & distribution | Part. 2