- Newest
- Most votes
- Most comments
Hello,
Your Right AWS Inspector doesn't directly scan EKS pods for vulnerabilities.
Only Having Options:
- Scan container images: Use tools like
snyk
oranchore
to find vulnerabilities before deployment. - Third-party tools: Explore tools like Aqua Security, Qualys, or Twistlock for pod scanning.
- CSPM tools: Consider Prisma Cloud or Sysdig for broader security assessments.
- Best practice: Scan images before deployment and regularly scan running pods.
Hello,
You can use a combination of the Amazon Inspector SBOM Generator and the Amazon Inspector Scan API to create a custom CI/CD integration[1]. The Amazon Inspector SBOM Generator (Sbomgen) is a tool that produces an SBOM for archives, container images, directories, local systems, and compiled Go and Rust binaries. Sbomgen scans for files that contain information about installed packages. When Sbomgen finds a relevant file, it extracts package names, versions, and other metadata. Sbomgen then transforms package metadata into a CycloneDX SBOM. You can use Sbomgen to generate the CycloneDX SBOM as a file or in STDOUT and send SBOMs to Amazon Inspector for vulnerability detection[2].
Additionally, you can utilize the Runtime Monitoring in GuardDuty to observe and analyze operating system-level, networking, and file events to help you detect potential threats in specific AWS workloads in your environment. GuardDuty initially released Runtime Monitoring to support only Amazon Elastic Kubernetes Service (Amazon EKS) resources. However, now you can also use the Runtime Monitoring feature to provide threat detection for your AWS Fargate, Amazon Elastic Container Service (Amazon ECS), and Amazon Elastic Compute Cloud (Amazon EC2) resources. [3]
[1] https://docs.aws.amazon.com/inspector/latest/user/cicd-custom.html
[2] https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html
[3] https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring.html
Relevant content
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 years ago