To enable MVISION Cloud Container Security for use with Amazon EKS, make the following configurations in the Amazon Console and MVISION Cloud.
Configure Amazon EKS
- In the AWS Console, go to EKS.
- Create an EKS cluster to use with MVISION Cloud detection.
- When you create the cluster, make sure Logging is enabled at the Cluster Primary Node for the API Server, Scheduler, and Controller Manager. If logging is not enabled during the cluster creation, the cluster won't be discovered by MVISION Cloud, and cannot be evaluated for configuration checks. You can enable logging using the following command as soon as the cluster is created:
eksctl utils update-cluster-logging --enable-types api,controllerManager,scheduler --cluster=test-eks
- Also, enable API Server endpoint public access for each cluster. For details, see Amazon EKS Cluster Endpoint Access Control.
- Provide permissions to the MVISION Cloud for EKS policies. There are two options that you can use to provide permissions.
Configure MVISION Cloud IAM Roles for AWS
MVISION Cloud uses AWS CloudFormation Templates to create the IAM roles required to configure AWS accounts. Permissions for all MVISION Cloud features are consolidated in CloudFormation Templates, so you do not have to track and provide permissions separately for each feature.
For Container Security, use one of three options:
Grant IAM Role Access to EKS Clusters
Next, for the IAM role you created for MVISION Cloud, you must grant it access to all the clusters in the AWS account. You can give an IAM role access to a specific cluster using eksctl, which is the official CLI for Amazon EKS. Or you can use the kubectl aws-auth ConfigMap within Kubernetes. For details, see:
MVISION Cloud can only discover clusters that the IAM role has access to and has enabled public access.
eksctl create iamidentitymapping --cluster eksctl-eks-test-auto-1-cluster --arn arn:aws:iam::XXXXXXXXXXXX:role/IAM_MVISION --group system:masters --username admin
Install the SSM Agent on Amazon EC2 Instances
To enable the Docker runtime in ECS and EKS, install the AWS Systems Manager (SSM) agent in the EC2 instance (host) of a particular ECS or EKS cluster.
For install instructions, see https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent-install.html.
Also, to the IAM role associated with the EC2 instance where you want SSM capabilities, add the policy: arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM.
To view SSM managed instances in AWS, go to AWS Systems Manager > Managed Instances.
NOTE: If the ping status is inactive or lost, restart the SSM agents for different instance types, as mentioned in https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html.
Configure MVISION Cloud
Configure a New AWS Instance
If you haven't configured an AWS instance in MVISION Cloud yet, use the following steps.
NOTE: Permissions against all the pre-defined policy templates are checked during authentication.
- Go to Settings > Service Management.
- Select the AWS service instance and click the Setup tab.
- Enable API access, then click Edit.
- For Enabled Features, make sure Security Configuration Audit is enabled. Click Next.
- In the Review Prerequisites screen, review permissions and click I have reviewed all prerequisites for enablement and completed any that are mandatory. Click Next.
- For Accounts, enter your Role ARN. Click Add.
- Click Authenticate Accounts.
- Click Save.
Configure an Existing AWS Instance
If you already have an AWS instance configured in MVISION Cloud, use the following steps.
NOTE: Permissions against imported policies are checked during authentication and On-Demand Scans.
- Go to Policy > Policy Templates
- In the Table view, filter by Business Requirement > Container Security. (For details about policy templates for ECS and EKS, see Policy Templates for Container Security.)
NOTE: In the Filters > Usage section, you can also choose Not Used to list all un-imported templates.
- Select all the templates you want to create policies for and click Actions > Create Policy. Click Create Policies
- All the imported policies will appear under Policy > Configuration Audit page
- Select the policies and click Actions > Activate Policies.
The policies are activated. Subsequent AWS configuration audit scans discover ECS and EKS resources, and also evaluate these policies and report any incidents.
You may also choose to manually trigger the scan from the Policy > On-Demand Scan. For details, see On-Demand Scans for Container Security.