Skip to main content
Skyhigh Security

Configure Container Security for EKS

To enable Skyhigh CASB Container Security for use with Amazon EKS, make the following configurations in the Amazon Console and Skyhigh CASB. 

Configure Amazon EKS

  1. In the AWS Console, go to EKS. 
  2. Create an EKS cluster to use with Skyhigh CASB detection. 
  3. When you create the cluster, make sure Logging is enabled at the Cluster Primary Node for the API Server, Scheduler, and Controller Manager. If logging is not enabled during the cluster creation, the cluster won't be discovered by Skyhigh CASB, and cannot be evaluated for configuration checks. You can enable logging using the following command as soon as the cluster is created:
    eksctl utils update-cluster-logging --enable-types api,controllerManager,scheduler --cluster=test-eks
  4. Also, enable API Server endpoint public access for each cluster. For details, see Amazon EKS Cluster Endpoint Access Control
  5. Provide permissions to the Skyhigh CASB for EKS policies. There are two options that you can use to provide permissions.

Configure Skyhigh CASB IAM Roles for AWS

Skyhigh CASB uses AWS CloudFormation Templates to create the IAM roles required to configure AWS accounts. Permissions for all Skyhigh CASB features are consolidated in CloudFormation Templates, so you do not have to track and provide permissions separately for each feature. 

For Container Security, use one of three options:

  1. AWS Managed Policy SecurityAudit. This is the recommended option. 
  2. Read-Only Access
  3. Minimum Permissions

Grant IAM Role Access to EKS Clusters

Next, for the IAM role you created for Skyhigh CASB, you must grant it access to all the clusters in the AWS account. You can give an IAM role access to a specific cluster using eksctl, which is the official CLI for Amazon EKS. Or you can use the kubectl aws-auth ConfigMap within Kubernetes. For details, see:

Skyhigh CASB can only discover clusters that the IAM role has access to and has enabled public access.

For example:

eksctl create iamidentitymapping --cluster eksctl-eks-test-auto-1-cluster --arn arn:aws:iam::XXXXXXXXXXXX:role/IAM_MVISION --group system:masters --username admin

 

Install the SSM Agent on Amazon EC2 Instances

To enable the Docker runtime in ECS and EKS, install the AWS Systems Manager (SSM) agent in the EC2 instance (host) of a particular ECS or EKS cluster. 

For install instructions, see https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent-install.html.

Also, to the IAM role associated with the EC2 instance where you want SSM capabilities, add the policy: arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM

To view SSM managed instances in AWS, go to AWS Systems Manager > Managed Instances

aws_systems_manager.png

NOTE: If the ping status is inactive or lost, restart the SSM agents for different instance types, as mentioned in https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html.

 

  • Was this article helpful?