The Amazon Elastic Kubernetes Service (EKS) Creation Engine (ECE) is a Python command-line program created by the Lightspin Office of the CISO to facilitate the creation and enablement of secure EKS Clusters, optionally further assured with continual Kubernetes Security Posture Management (KSPM), Runtime Protection, and Application Performance Monitoring (APM) capabilities.
As stated above, the ECE is a Python utility to create a fully functioning EKS Cluster, complete with Nodegroups which are built off of EC2 Launch Templates as it was meant for creating EKS Nodegroups with custom AMIs with custom bootstrapping.
At a high-level ECE...
- Supports the full lifecycle of EKS management: Creation, Deletion, Rollbacks, and Updates
- Bootstraps Nodegroups based on IMDSv2 and Custom AMIs (Currently supports Amazon Linux 2 & Ubuntu 20.04LTS Arm64 & Amd64)
- Authorize additional IAM Principals into your Cluster
- Will install and configure Microsoft Defender for Endpoint (MDE), Sysdig's Falco & FalcoSidekick, and/or Datadog if desired.
- Perform Kubernetes Security Posture Management (KSPM) tasks using Aqua Security's Trivy (vulnerability management) and Kube-bench (EKS CIS Benchmarking) into a SARIF JSON Report
After creating a Cluster with ECE, you are free to use your own tools such as eksctl
or Terraform to further extend!
It is very easy to get started, just provide a VPC ID and two matching private Subnet IDs
python3 main.py \
--subnets subnet-123 subnet-456 \
--vpcid vpc-123
tl;dr = ECE will create a secure cluster the first time, every time, and support the security of your clusters throughout their lifetime better than AWS' own defaults.
For those using the Console, APIs, CLI, or SDKs to create your Cluster - AWS does not provide the best experience nor secure defaults - but ECE does.
Feature | Default-by-AWS | Default-by-ECE |
---|---|---|
Public API Endpoint | ✅ | ❌ |
API Server Logging | ❌ | ✅ |
Audit Logging | ❌ | ✅ |
Authenticator Logging | ❌ | ✅ |
Controller Manage Logging | ❌ | ✅ |
Scheduler Logging | ❌ | ✅ |
Secrets Envelope Encryption | ❌ | ✅ |
Node Volume Encryption | ❌ | ✅ |
Minimum Necessary Secuirty Group Permissions | ❌ | ✅ |
Minimum Necessary IAM Role Permissions | ❌ | ✅ |
KMS Key Generation | ❌ | ✅ |
IMDSv2 on Nodes | ❌ | ✅ |
EDR on Nodes | ❌ | ✅ |
Dynamic Custom AMI bootstrapping | ❌ | ✅ |
Falco Configuration by Default | ❌ | ✅ |
FalcoSidekick Configuration by Default | ❌ | ✅ |
CIS Benchmarking | ❌ | ✅ |
Container Vulnerability Scanning | ✅ | ✅ |
Note: Yes, we realize we are being cheeky with a lot of comparisons and features that AWS shouldn't be expected to provide, it's still concerning that AWS does not conform to their own best practices for defaults.
For those using Infrastructure-as-Code (IAC) such as AWS CloudFormation and HashiCorp's Terraform are the preferred vehicles for defining infrastructure, they can be complicated to write and maintain when getting started with AWS EKS. They also native capabilities to reach into clusters and provide post-provisioning without the usage of custom resources (CFN), locals
and external providers
(TF). This utility provides similar behavior patterns (creating, update, rollback) and can be used to quickly tune parameters and change conditions which are static within IAC. Further, ECE is also a secure tool used for vulnerability management, runtime protection configuration, and posture management in addition to being an IAC tool - something CloudFormation and Terraform would need additional infrastructure templates and outside tools to achieve.
We are happy to take contributions from anywhere that will help expand this project. Some things that immediately come to mind...
- Saving configurations to YAML/JSON and read from them.
- Support installing more software onto EKS Nodes (e.g., CloudWatch Agent, Kinesis Data Agent, Wazuh, etc.)
- Functionality for adding Nodegroups to existing Clusters.
- Spot provider & Fargate Profile support for Nodegroups, and an option to not use Nodegroups
- Create more Plugins for various utilities (e.g., Calico, OPA, NGINX Ingress Controller, etc.)
For more information, contact us at [email protected].
This repository is available under the Apache License 2.0.