EKS Security Guide for Containers, Nodes, and Avoiding Misconfigurations

Subscribers Goal: ||||||||||||... 38% ............... 384/1K Subscribers Goal: ||||||||||||... 38% ............... 384/1K The AWS EKS Security Best Practices guide: https://aws.github.io/aws-eks-best-practices/security/docs/ Use minimal images - Use from scratch - Use Alpine / debian slim - node / python alpine/sim bullseye Scan images for vulnerabilities - Docker scout - Introduced in Docker version 4.17 - Docker scan is now deprecated - implement lifecycle policies for via ECR scan - Free for basic scan - supported OS’s - https://docs.aws.amazon.com/inspector/latest/user/supported.html - Each container image may be scanned once per 24 hours with basic scanning - Whenever Amazon Inspector adds a new CVE to its database, all eligible container images in your configured Amazon ECR repositories are automatically re-scanned. Host AMI instance - https://aws.amazon.com/bottlerocket/ - EC2 image builder https://aws.amazon.com/image-builder/ Prevent misconfigurations - Redhat "State of Kubernetes security report" https://www.redhat.com/rhdc/managed-files/cl-state-kubernetes-security-report-262667-202304-en.pdf - Built-in policies: https://hub.datree.io/built-in-rules - contest https://www.conftest.dev/ 00:00 intro 00:44 AWS EKS Security Guide 01:11 Container Image Security 08:44 OS/Node Security 12:57 Avoiding misconfiguration on the cluster 18:05 Thank you