This article focuses on continual compliance within an EKS release pipeline.
What Is CIS?
“CIS Benchmarks from the Center of Internet Security (CIS) are a set of globally recognized and consensus-driven best practices to help security practitioners implement and manage their cybersecurity defenses. Developed with a global community of security experts, the guidelines help organizations proactively safeguard against emerging risks. Companies implement the CIS Benchmark guidelines to limit configuration-based security vulnerabilities in their digital assets.” Well said, AWS!
Further detail can be found here: https://aws.amazon.com/what-is/cis-benchmarks/
Why Is It Important?
Organisations seek to comply with CIS benchmarks and in context to specific infrastructures (like EKS) – there is a CIS benchmark for that architecture. This allows organisations to measure how well their EKS deployment aligns to the CIS benchmark level they desire and to be alerted to failures. In context to a pipeline – it allows teams to report on their compliance to the CIS benchmark and more importantly – prevent changes being introduced which may jeopardise that compliance. For some organisations, it is more about visibility to check how well they comply. In any case there are several options for deployment.
How Can I Run the CIS Benchmark?
There are several ways to run the CIS Benchmark and here are talking about running the aquasec kube-bench (which is really awesome). AWS provides quite detailed step-by-step guidance on how to deploy kube-bench on EKS by deploying a pod, running the pod and executing the test in their EKS Workshop – Intermediate section here: https://www.eksworkshop.com/intermediate/300_cis_eks_benchmark/ssh-into-node/
This is good for a one-off test but we want to go the extra mile here and run it as part of our release pipeline and to do that we need to integrate it into our CI pipeline stages. As I’m all about sharing – I won’t take credit for this template as it was written by a very clever fellow over at Webera – Raphael Moraes. This helped me when I needed it and it can help you too. https://webera.blog/how-to-check-if-your-eks-cluster-is-deployed-securely-running-the-kube-bench-oss-tool-via-gitlab-ci-21c62798d626
What Benefit Is There Running in the Release Pipeline?
By integrating into your pipeline as a dedicated stage, it allows you to fail that stage if it does not pass. This is great for two things:
- Keeps you compliant
- Allows you to continuously measure your compliance
Things You Need to Consider
- The version of the CIS Benchmark changes so you will need to cope with those changes and update your pipeline variables to ensure you are testing against the latest version.
- Just because you are compliant, it doesn’t mean you are “secure” or compliant against other industry standards
- Consider carefully failing on the stage initially – you may have old config say for a well-established EKS cluster that might need planned outages / changes to be implemented to comply
- It’s a great resource and tool to have but it’s not an all encompassing tool – it compliments good security practices and gives you a flying start
- You need to adjust the template according to your own pipeline stages and environment.
I hope you enjoyed this article and learned something new. If you have any questions on how you too can be CIS compliant – please reach out. As always, our awesome Cevo crew are here for you!