K8s and GuardDuty

GuardDuty is AWS's built in threat detection tool that covers a wide variety of AWS Services. for EKS, AWS's Kubernetes service, GuardDuty offers two services. The first is EKS audit logs in EKS Protection. This tool captures sequential actions within your Amazon EKS cluster, including activities from users, applications using the Kubernetes API, and the control plane. It then and analyzes them for potentially malicious and suspicious activities. The second option for EKS monitoring with GuardDuty is EKS Runtime Monitoring. With this tool, an agent is installed in the kubernetes pod that scans and identifies containers that are potentially compromised.

Enabling EKS Audit logs in EKS protection via terraform is very straight forward.

resource "aws_guardduty_detector" "eks_audit_logs" {
	enable = true
	}
	
	resource "aws_guardduty_detector_feature" "eks_runtime_monitoring" {
	detector_id = aws_guardduty_detector.eks_audit_logs.id
	name        = "EKS_AUDIT_LOGS"
	status      = "ENABLED"
	
	}
										  
									

And thats it. EKS audit logs should now be easily accesible via CloudWatch where you can forward them to your SIEM of choice.

For EKS Runtime Protection, you have two options. If you want AWS to automatically include runtime protection for all clusters, the terraform is quite simple.

resource "aws_guardduty_detector_feature" "eks_runtime_monitoring" {
	detector_id = aws_guardduty_detector.example.id
	name        = "EKS_RUNTIME_MONITORING"
	status      = "ENABLED"
	
	additional_configuration {
		name   = "EKS_ADDON_MANAGEMENT"
		status = "ENABLED"
	}
	}
										
									

However, if you want to only enable this service on certain clusters, you will need to manually create the infrastructure to do so. This will involve policy creation, a VPC endpoint, as well as an `aws_eks_addon` object for each cluster.

And thats pretty much it for this short exploration into kubernetes and AWS GuardDuty.

• ace.raney@gmail.com
• (469) 999-4517
• Broomfield, CO
• Download Resume