How Threat Stack Makes it Easy to Monitor Amazon EKS on AWS Fargate

F5

Threat Stack is now F5 Distributed Cloud App Infrastructure Protection (AIP). Start using Distributed Cloud AIP with your team today.

This is a joint blog post written by Amber Bennoui, Senior Technical Product Manager for UI and Agent and Sabin Thomas, VP AppSec Engineering.

What is Fargate?

Launched by AWS in 2017, Fargate is a serverless compute engine that deploys and runs containers without the need to manage servers or clusters of virtual machines. By eliminating the need to manage additional infrastructure, Fargate helps Ops teams and developers focus on what they do best, i.e., develop and deploy application code.

Fargate allows you to provision on-demand, right-sized compute capacity for containers on both AWS, ECS, and EKS. Threat Stack has historically provided visibility for ECS on Fargate but now is thrilled to introduce the same capabilities for EKS on Fargate. Threat Stack is one of the few cloud security providers to cover both EKS and ECS/ By securing your workloads and, in turn, looking for malicious processes and network activity, we actively guard against threats like data exfiltration within these environments. This is because the Threat Stack agent enables monitoring of East-West and North-South netflows, enabling you to garner full visibility into your Fargate environment. In this blog, we’ll take a comprehensive look at the detections that Threat Stack offers for Fargate EKS.

Why Amazon EKS on AWS Fargate?

Amazon EKS on Fargate is an excellent option if you are running native Kubernetes and are looking to relieve some of the burdens required to maintain and manage your clusters. Fargate supports all common container use cases you might use, such as machine learning applications or microservices architecture applications. In addition, applications that do not require total control from your end are great candidates for Fargate as you can launch the containers without having to provision or manage EC2 instances.

Given that running EKS on Fargate offers a low effort to maintain both Kubernetes and the underlying infrastructure in your environment, this is a strong option for managers who may be running multiple departments, like DevOps and Security. However, while running EKS on Fargate results in some of the security burden being put on AWS, it is not entirely covered. This is because Fargate shifts the shared security responsibility model from security of the cloud to security in the cloud.

As illustrated below, AWS takes responsibility for protecting the infrastructure that runs AWS services in the AWS Cloud. For Fargate EKS, AWS is responsible for the Kubernetes control plane, including the control plane nodes and etcd database.

AWS Fargate EKS shared responsibility model, which illustrates customer responsibility and that of AWS.

Per AWS, “Security and compliance is a shared responsibility between AWS and the customer. This shared model can help relieve the customer’s operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.” As a result, Threat Stack made it mission-critical to adapt AWS functionalities with the shared responsibility model in mind. Therefore, configuring Threat Stack to get full visibility into network configuration and application processes in Fargate EKS can be accomplished in minutes fulfilling the ‘customer’ side of the shared responsibility model.

Installation and Configuration

Below is a simple three-step process on how to get started with running Threat Stack on a sample application on EKS Fargate.

1. We first mount a shared volume in the Kubernetes deployment that is accessible by both the application container and the Threat Stack container.

2. We then update the existing Kubernetes deployment here with an initContainer to allow for the initial instrumentation of the agent.

3. Finally, we add the Threat Stack sidecar that runs when the application container comes up.

Use Threat Stack to Securely Monitor Amazon EKS on AWS Fargate

Once the Threat Stack agent has been deployed to your application running on Fargate EKS, you should see events populate in the Threat Stack platform, along with the ability to apply Threat Stack managed rules to these events or create custom rules.

Threat Stack provides real-time monitoring and detection for the following activity in your Fargate EKS environment:

• Interactive sessions
• SSHD binaries
• Data exfiltration attempts
• Unexpected network connections

Threat Stack events surface important context at a high level, allowing users to perform forensic investigations around both processes quickly and network event metadata, time period, and specific workloads:

Fargate process event summary view.

An overview of Threat Stack’s managed Fargate Rule Set.

Fargate process or netflow events that match a Threat Stack managed or custom rule generate actionable alerts that allow for immediate visibility into your environment.

A Threat Stack detected Fargate alert in Group View.

Threat Stack support for Amazon EKS on AWS Fargate will be generally available in August 2021.

Threat Stack is now F5 Distributed Cloud App Infrastructure Protection (AIP). Start using Distributed Cloud AIP with your team today.

About the Author

F5

More blogs by F5