managed-kubernetes-eks-webinar.md

Managed Kubernetes EKS Webinar

Links

EKS Creation Engine (ECE)

ECE Github
Why create an EKS Creation tool
Microsoft Defender for endpoint on AWS

Kubernetes Network Security Policy

Installing the Calico add-on on EKS

EKS Control Plane Logging

Enabling and disabling control plane logs
EKS authenticator - control access to the cluster

EKS Envelop Encryption

Using EKS encryption provider support for defense-in-depth

EKS Cluster Endpoint

De-mystifying cluster networking for Amazon EKS worker nodes
Review and revoke unnecessary anonymous access

IAM Roles for Service Accounts (IRSA)

Introducing fine-grained IAM roles for service accounts
Restrict access to the instance profile assigned to the worker node

Commands

Check cluster logging status:

aws eks describe-cluster --name <cluster-name> | jq '.cluster.logging'

Check cluster public endpoint:

aws eks describe-cluster --name <cluster-name> | jq '.cluster.resourcesVpcConfig.endpointPublicAccess'

Check cluster private endpoint:

aws eks describe-cluster --name <cluster-name> | jq '.cluster.resourcesVpcConfig.endpointPrivateAccess'

Check which CIDRs can access the public cluster endpoint (if enabled):

aws eks describe-cluster --name <cluster-name> | jq '.cluster.resourcesVpcConfig.publicAccessCidrs'    

Check cluster encryption (null = disabled):

aws eks describe-cluster --name <cluster-name> | jq '.cluster.encryptionConfig'

Check EC2 node metadata options:

aws ec2 describe-instances --instance-ids <instance-id> | jq '.Reservations[].Instances[].MetadataOptions'