Amazon EKS

Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service that you can use to run Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes. Kubernetes is an open-source system for automating the deployment, scaling, and management of containerized applications. Amazon EKS:

• Runs and scales the Kubernetes control plane across multiple AWS Availability Zones to ensure high availability.
• Automatically scales control plane instances based on load, detects and replaces unhealthy control plane instances, and it provides automated version updates and patching for them.
• Is integrated with many AWS services to provide scalability and security for your applications, including the following capabilities:

1. Amazon ECR for container images
2. Elastic Load Balancing for load distribution
3. IAM for authentication
4. Amazon VPC for isolation

• Runs up-to-date versions of the open-source Kubernetes software, so you can use all of the existing plugins and tooling from the Kubernetes community. Applications that are running on Amazon EKS are fully compatible with applications running on any standard Kubernetes environment, no matter whether they're running in on-premises data centers or public clouds. This means that you can easily migrate any standard Kubernetes application to Amazon EKS without any code modification.

Kubernetes and EKS have matured significantly over the last few years, with many standard practices developing across the industry based on lessons learned from earlier mistakes. Best practices for EKS build on the knowledge of Kubernetes-specific considerations and AWS-related standards. Following these recommendations ensures that the clusters are designed according to well-known conventions, reducing potential problems and improving the cluster management experience.

How does Amazon EKS work?

Security

Kubernetes security in EKS is the responsibility of both Amazon Web Services (AWS) and the client. This shared responsibility model divides the main security aspects as follows:

• AWS security – AWS is responsible for the security of the infrastructure that supports AWS services. In Amazon EKS, AWS protects the Kubernetes control plane, including the etcd database and control plane nodes. AWS compliance involves regular testing by third-party auditors to verify security effectiveness.
• Client-side security – As the client, you are responsible for securing your workloads. This includes ensuring data security, upgrades and patches for worker nodes, and secure configuration for the data plane, nodes, containers, and operating systems. You must also configure security groups that allow the EKS control plane to securely communicate with your virtual private clouds (VPCs).

Layers

Security Layers

Best practices

There are several security best practice areas that are pertinent when using a managed Kubernetes service like EKS:

• Identity and Access Management
• Pod Security
• Runtime Security
• Network Security
• Multi-tenancy
• Detective Controls
• Infrastructure Security
• Data Encryption and Secrets Management
• Regulatory Compliance
• Incident Response and Forensics
• Image Security

As part of designing any system, you need to think about its security implications and the practices that can affect your security posture. For example, you need to control who can perform actions against a set of resources. You also need the ability to quickly identify security incidents, protect your systems and services from unauthorized access, and maintain the confidentiality and integrity of data through data protection. Having a well-defined and rehearsed set of processes for responding to security incidents will improve your security posture too. These tools and techniques are important because they support objectives such as preventing financial loss or complying with regulatory obligations.