Amazon EKS Security on High Alert with GuardDuty

6 minute read
Content level: Advanced
1

I need to stay on high alert of security events happening in my Amazon EKS Cluster by receiving email notifications as soon as it occurs.

Introduction:

As organizations increasingly adopt containers and Kubernetes for their application deployments, ensuring the security of these environments becomes paramount. Amazon Elastic Kubernetes Service (Amazon EKS) provides a managed Kubernetes control plane, but you are still responsible for securing the worker nodes and the applications running on them. This is where Amazon GuardDuty comes into play, offering a powerful threat detection service that can continuously monitor your EKS cluster for potential security threats and misconfigurations.

In a modern cloud-native environment, security threats can emerge from various sources, including unauthorized access attempts, compromised credentials, malicious activities, and misconfigured resources. Staying vigilant and quickly responding to these threats is crucial to maintaining the integrity and resilience of your EKS cluster. However, manually monitoring logs and security events can be time-consuming and error-prone, especially in large-scale deployments.

Solution overview:

Amazon GuardDuty is a powerful threat detection service that continuously monitors your AWS accounts, workloads, and data sources for potential security threats. By integrating GuardDuty with your EKS cluster, you can leverage its advanced threat detection capabilities to identify and respond to security events promptly.

Amazon GuardDuty detecting activity in Amazon EKS

Prerequisites

Before getting started, ensure you have the following prerequisites:

Here's how you can set up GuardDuty to monitor your EKS cluster and receive email notifications for security events:

Enable GuardDuty for Your AWS Account

First, you need to enable GuardDuty for your AWS account. You can do this through the AWS Management Console, AWS Command Line Interface (CLI), or AWS CloudFormation.

To configure Amazon GuardDuty using AWS CLI:

aws guardduty create-detector --enable --features '[{"Name" : "EKS_AUDIT_LOGS", "Status" : "ENABLED"}, {"Name" : "EKS_RUNTIME_MONITORING", "Status" : "ENABLED", "AdditionalConfiguration" : [{"Name" : "EKS_ADDON_MANAGEMENT", "Status" : "ENABLED"}]}]'

To configure Amazon GuardDuty via AWS Console:

  1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.
  2. In the navigation pane, under Settings, choose EKS Protection.
  3. Under the Configuration tab, you can view the current configuration status of EKS Audit Log Monitoring.
  4. To update the configuration for your account, choose Edit.
  5. Choose Enable to enable the EKS Protection feature for optimal protection. This will automatically enable EKS Audit Log Monitoring, EKS Runtime Monitoring, and automated agent management through GuardDuty.

Wait a few minutes for Amazon GuardDuty finish the monitoring stack deployment. Validate the aws-guardduty-agent Pod deployment in your EKS Cluster.

kubectl -n amazon-guardduty get pods
NAME                        READY   STATUS    RESTARTS   AGE
aws-guardduty-agent-75w7q   1/1     Running   0          3h35m
aws-guardduty-agent-k7dzg   1/1     Running   0          5h10m
aws-guardduty-agent-vtpct   1/1     Running   0          5h10m

Configure Email Notifications for Amazon EKS Security Events

To receive email notifications whenever GuardDuty detects a potential security threat in your EKS cluster, you can create a custom event pattern with the Amazon EventBridge rule to match any GuardDuty EKS findings. Then, route the response to an Amazon Simple Notification Service (Amazon SNS) topic.

Configure EventBridge Rule:

  1. If you haven't already created an Amazon SNS topic, follow the instructions for Getting started with Amazon SNS.
  2. Note: The Amazon SNS topic must be in the same Region as your Amazon GuardDuty service.
  3. Open the EventBridge console.
  4. Select Create rule.
  5. Enter a Name for your rule. You can optionally enter a Description.
  6. Select the bus that the event applies to.
  7. In Rule type, select Rule with an event pattern. Then, select Next.
  8. Under Event pattern, choose AWS services for the Event source. Then, choose GuardDuty for the AWS service.
  9. For Event type, choose GuardDuty Finding.
  10. In the Event pattern preview section, select Edit pattern.
  11. Copy the following code, paste it in Event pattern preview section, and then choose Save.
# Event Pattern
{
  "source": ["aws.guardduty"],
  "detail-type": ["GuardDuty Finding"],
  "detail": {
  "resource": {
      "resourceType": ["EKSCluster"]   
  }
  }
}
  1. Select Next.
  2. For Target types, select AWS service.
  3. For Select a target, choose SNS topic. Then, select your topic from the drop-down menu.
  4. For Additional settings, do the following:
  5. For Configure target input, choose Input transformer from the drop-down list.
  6. Choose Configure input transformer
  7. for Sample events, skip:
  8. For Target input transformer do the following:
  9. For Input Path, enter the following:
# input path
{
"severity":"$.detail.severity",
"Account_ID":"$.detail.accountId",
"Finding_ID":"$.detail.id",
"Finding_Type":"$.detail.type",
"region":"$.region",
"Finding_description":"$.detail.description"
} 
  1. For Input Template, enter the following:
"Finding Description:"
"<Finding_description>. "
"For more details open the GuardDuty console at https://console.aws.amazon.com/guardduty/home?region=<region>#/findings?search=id%3D<Finding_ID>"
  1. Choose Confirm, Choose Next.
  2. Choose Next.
  3. Review the details of the rule and choose Create rule.

Review and Respond to Security Findings

GuardDuty will now continuously monitor your EKS cluster and send email notifications whenever a potential security threat is detected. You can review the security findings in the GuardDuty console or through the AWS CLI and take appropriate actions to mitigate the threats.

# List recent security findings
aws guardduty list-findings --detector-id <detector_id> --max-results 10

Automate Responses with AWS Lambda (Optional)

For advanced security automation, you can create AWS Lambda functions to automatically respond to specific types of security findings. GuardDuty can trigger these Lambda functions, allowing you to implement custom remediation actions or integrate with other security tools. Below is a sample Lambda function written in python programming language:

# Example Lambda function to handle security findings
import json
import boto3

def lambda_handler(event, context):
    # Parse the GuardDuty finding
    finding = event['detail']['finding']
    finding_type = finding['type']
    resource_id = finding['resource']['resourceId']

    # Handle the finding based on type
    if finding_type == 'Execution:Kubernetes/ExecInKubeSystemPod':
        # Implement remediation actions for Unsafe executions in Kubernetes Cluster
        pass
    elif finding_type == 'PrivilegeEscalation:Kubernetes/PrivilegedContainer':
        # Implement remediation actions for privilege escalations
        pass
    # Add more handling logic for other finding types

    return {
        'statusCode': 200,
        'body': json.dumps('Finding handled successfully')
    }

Conclusion:

Integrating Amazon GuardDuty with your Amazon EKS cluster provides a powerful security monitoring and threat detection solution. By enabling GuardDuty, configuring email notifications, and optionally automating responses with AWS Lambda, you can stay on high alert for security events and promptly respond to potential threats, ensuring the security and resilience of your cloud-native applications.