Implementing Automatic Threat Detection with GuardDuty and EKS

In the face of the surging Kubernetes market, securing our customers’ AWS accounts while providing robust solutions like Amazon EKS is our foremost responsibility as AWS professionals. The integration of Amazon GuardDuty into EKS addresses this dual objective effectively. Leveraging machine learning, anomaly detection, and threat intelligence, GuardDuty consistently monitors cluster control plane activities and audit logs, promptly identifying and flagging potential threats such as suspicious privilege-escalation techniques.

Let’s delve deeper into the practical aspects of this integration.

The Setup

Enable AWS CloudTrail

Before integrating GuardDuty, ensure AWS CloudTrail is enabled. This captures EKS API call logs, providing crucial data for GuardDuty to analyze.

1. Navigate to the AWS CloudTrail Console.
2. Click on “Create trail.”
3. Provide a name for the trail and select an S3 bucket for log storage.
4. Click “Create.”

Setting Up GuardDuty

Next, we need to enable GuardDuty.

1. Navigate to the Amazon GuardDuty console.
2. Click on “Get started.”
3. On the following page, select “Enable GuardDuty.”

Enabling EKS Audit Log Monitoring in GuardDuty

In multi-account setups, only the GuardDuty delegated administrator has the authority to activate the EKS Audit Log Monitoring for member accounts. These member accounts are not allowed to modify this feature. For efficiency, the delegated administrator also has the capability to automatically activate this feature for new accounts joining the organization.

When it comes to standalone account setups, it’s less common for those running EKS to utilize it. However, if you’re considering this approach, there’s comprehensive information available in this AWS guide.

Configure via Console:

1. Access GuardDuty console with management credentials.
2. Navigate to “Settings” > “EKS Protection”.
3. Check the current EKS Audit Log Monitoring status.
4. Select “Edit” in the delegated administrator pane.
5. Toggle EKS Protection for enabling/disabling EKS Audit Log Monitoring and EKS Runtime Monitoring.
6. Confirm with “Save”.

API Configuration:

AWS SDKs and CLI can be used for API configurations. Check AWS GuardDuty documentation for specifics.

After enabling EKS Protection in Amazon GuardDuty, your AWS Console will display the change.

Next, navigate to the ‘Findings’ section. At this stage, you likely won’t see any findings yet.

With Amazon GuardDuty now active and protecting your EKS clusters, you’re all set to witness its power. One of the key features of GuardDuty for EKS is that it doesn’t require you to enable or store EKS Control Plane logs. GuardDuty can review the EKS cluster audit logs via direct integration, analyze audit log activity, and report on new GuardDuty findings specifically related to your Kubernetes resources.

Trusted and Threat IP Lists for Enhanced Threat Monitoring

GuardDuty can be tailored to monitor specific threats, such as alerting you when a known malicious IP accesses a particular pod. This customization is possible through “Trusted IP lists” and “Threat IP lists.”

Trusted IP lists contain IP addresses deemed safe for secure communication with your AWS environment. GuardDuty does not generate findings for IP addresses included in trusted IP lists.

Threat IP lists include known malicious IP addresses. When these addresses interact with your EKS environment, GuardDuty will generate findings.

1. In the GuardDuty console, navigate to “Settings and “Lists.”
2. Before creating a Trusted or Threat IP list, we need to upload the IP address list to an S3 bucket.
3. Next, Click on “Add a threat/trusted IP list.”
4. Name your list, for instance, “Malicious IPs.”
5. Input the location of the S3 IP list.
6. Choose a format of the list.
7. Add your newly created list to be monitored.

Responding to GuardDuty Findings and Setting up Alerts

Amazon GuardDuty provides a comprehensive threat detection service, generating “Findings” that give you detailed insights into potential security issues. Knowing how to navigate these findings, respond effectively to unauthorized access, and set up alerts for these events are crucial aspects of your AWS security management.

Responding to Unauthorized Access

1. Navigate to “Findings” in the GuardDuty console.
2. Identify the finding related to the unauthorized access.
3. Examine the finding details to understand the nature and extent of the unauthorized access.
4. Use ‘kubectl describe pod <pod-name>’ to inspect the specific pod details.
5. Based on the information from the finding, determine your remediation steps. This could involve changing the pod’s security context, modifying IAM policies, or altering RBAC rules.

With this in place, you’ll be prepared to handle specific threats and respond effectively to potential unauthorized access incidents.

Setting Up Alerts for GuardDuty Findings

To ensure timely notification and response to threats, it’s essential to set up alerts for GuardDuty findings:

1. In the GuardDuty console, navigate to “Settings.”
2. The standard setting is to export to EventBridge, but you can also use an S3 bucket. For this example, we will use EventBridge.

3. Next, go to the Amazon EventBridge Console, and navigate to “Rules.”

4. Click “Create rule.”

5. Give the rule a name and description. Use the default “Event bus” and Rule type “Rule with an event pattern.”

6. For Event pattern, choose “AWS services” as “Event source,” and “GuardDuty” as “AWS service,” “GuardDuty Finding” as “Event type.”

7. The next step is to select a target for the notifications. Choose your preferred target, for example, an SNS topic or Lambda function.

8. Click next to add optional tags, then review and create the rule.

Now, you’ll receive notifications to your chosen target when GuardDuty detects a threat, enabling swift and effective responses to security incidents.

A Word of Caution: Staying Abreast with Compatibility

While Amazon GuardDuty’s integration with EKS offers remarkable security enhancements, it’s crucial to note a few “gotchas” when working with these services. For example, AWS’s update schedule for their EKS versions and GuardDuty agent might not always align.

There have been instances where a new EKS version, such as 1.27, was released, but the GuardDuty agent hadn’t yet caught up with support for the new version. As AWS professionals, we must be vigilant and ensure that our chosen EKS version aligns with the supported GuardDuty agent versions. This not only aids in seamless integration but also circumvents potential security gaps that might occur due to version incompatibility.

To track the release history and compatibility of the EKS Runtime Monitoring Agent, you can refer to this AWS Documentation. Bookmarking and revisiting this page often will help you stay updated with the latest versions and ensure the optimum functioning of your EKS-GuardDuty integration.

As AWS experts, we acknowledge these nuances, adapt to them, and ensure that we offer our clients the most robust and updated solutions.

Wrap-Up: Why GuardDuty with EKS Makes Sense

In conclusion, integrating GuardDuty with EKS is not just a sensible choice — it’s an intelligent one. By effectively harnessing the power of these tools, we, as AWS specialists, can protect our AWS environments, optimize security operations, and ensure the trust and satisfaction of our customers. As Kubernetes continues to dominate the market, let’s stay ahead of the curve, providing secure, reliable services through an understanding and application of GuardDuty with EKS.