Detecting vulnerabilities in AWS EKS pods with AWS inspector

0

Hello,

how can I access pods running in an AWS EKS cluster for vulnerabilities? What are the options and best practices here?

We already use AWS Inspector for AWS Lambda and AWS EC2. However, no vulnerabilities from EKS pods are displayed here.

The blog post https://aws.amazon.com/blogs/containers/using-sbom-to-find-vulnerable-container-images-running-on-amazon-eks-clusters/ describes a possible approach.

Questions about this:

  • Is this currently the only approach to scan for the images in all namespaces yourself, create an SBOM and access it?
  • Is there no out of the box solution for this, for example in AWS Inspector itself?

Thanks for any tips on this.

2 Answers
1

Hello,

Your Right AWS Inspector doesn't directly scan EKS pods for vulnerabilities.

Only Having Options:

  • Scan container images: Use tools like snyk or anchore to find vulnerabilities before deployment.
  • Third-party tools: Explore tools like Aqua Security, Qualys, or Twistlock for pod scanning.
  • CSPM tools: Consider Prisma Cloud or Sysdig for broader security assessments.
  • Best practice: Scan images before deployment and regularly scan running pods.
profile picture
EXPERT
answered 2 months ago
1

Hello,

You can use a combination of the Amazon Inspector SBOM Generator and the Amazon Inspector Scan API to create a custom CI/CD integration[1]. The Amazon Inspector SBOM Generator (Sbomgen) is a tool that produces an SBOM for archives, container images, directories, local systems, and compiled Go and Rust binaries. Sbomgen scans for files that contain information about installed packages. When Sbomgen finds a relevant file, it extracts package names, versions, and other metadata. Sbomgen then transforms package metadata into a CycloneDX SBOM. You can use Sbomgen to generate the CycloneDX SBOM as a file or in STDOUT and send SBOMs to Amazon Inspector for vulnerability detection[2].

Additionally, you can utilize the Runtime Monitoring in GuardDuty to observe and analyze operating system-level, networking, and file events to help you detect potential threats in specific AWS workloads in your environment. GuardDuty initially released Runtime Monitoring to support only Amazon Elastic Kubernetes Service (Amazon EKS) resources. However, now you can also use the Runtime Monitoring feature to provide threat detection for your AWS Fargate, Amazon Elastic Container Service (Amazon ECS), and Amazon Elastic Compute Cloud (Amazon EC2) resources. [3]

[1] https://docs.aws.amazon.com/inspector/latest/user/cicd-custom.html

[2] https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html

[3] https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring.html

AWS
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions