Scribd Logo
Upload

Welcome to Scribd!

  • EKS Forensics & Incident Response

    Uploaded by

    christopher.d.doman
    5 views10 pages
    This document provides information on investigating and responding to compromised containers or nodes in Amazon EKS. It discusses collecting data from container filesystems, EKS audit logs, CloudTrail logs, and Docker logs. It also mentions the overlay2 filesystem used by EKS and resources for forensic analysis like kube-forensics and a playbook from Cado Security. Remediation options include using Amazon Detective to investigate security issues in EKS clusters.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides information on investigating and responding to compromised containers or nodes in Amazon EKS. It discusses collecting data from container filesystems, EKS audit logs, CloudTrail logs, and Docker logs. It also mentions the overlay2 filesystem used by EKS and resources for forensic analysis like kube-forensics and a playbook from Cado Security. Remediation options include using Amazon Detective to investigate security issues in EKS clusters.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    5 views10 pages

    EKS Forensics & Incident Response

    Uploaded by

    christopher.d.doman
    This document provides information on investigating and responding to compromised containers or nodes in Amazon EKS. It discusses collecting data from container filesystems, EKS audit logs, CloudTrail logs, and Docker logs. It also mentions the overlay2 filesystem used by EKS and resources for forensic analysis like kube-forensics and a playbook from Cado Security. Remediation options include using Amazon Detective to investigate security issues in EKS clusters.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 10

    EKS Forensics & Incident

    Response

    Cado Security | 1
    How do you respond to a compromised EKS
    Container or Node?
    If you’ve identified a potentially compromised container in EKS, there
    are two potential ways forward:

    ● If the container is running on an underlying EC2, then refer to the


    suggested steps above for immediate actions.

    ● If the container is running on Fargate, then collect any data required


    for later analysis before subsequently suspending it.
    What EKS GuardDuty Detections are
    there?

    https://aws.amazon.com/blogs/security/how-to-use-new-amazon-guardduty-eks-protection-findings/
    https://medium.com/@cloud_tips/guide-to-aws-guardduty-findings-in-eks-62babbd7da88
    Container Investigation Data Sources in AWS?
    Amazon S3 Amazon EC2 - Hosting EKS/ECS Inside Container - EKS/ECS on Fargate/EC2

    EKS Audit / Control Plane Logs Docker Container Filesystems Container Filesystems
    ● Shows: API Level Calls ● Normally overlay2 versioned filesystem ● Live filesystem as seen by the container, Memory
    ● Usefulness: Medium ● Contains all the files from all the containers ● Contains all the files from all the containers
    ● Collected by: S3 ● Usefulness: High ● Usefulness: Very High
    ● Collected by: EC2 EBS (API) or Cado Host (SSM/SSH) ● Collected by: Cado Host (ECS Exec/kubectl exec))

    CloudTrail Logs Docker Logs


    ● Shows: API Level Calls ● Logs what containers were started, stopped
    ● Usefulness: Low ● Usefulness: Medium
    ● Collected by: S3 ● Collected by: EC2 Import or Cado Host
    How do you Acquire an Amazon EKS System
    in Cado?
    What is overlay2?
    Overlay2 is the file system you are most likely to see.
    It’s also versioned, which helps preserve evidence of attacks.
    Separate containers are kept in their own folders:
    What AWS EKS Logs are Stored in AWS?
    It's important to also analyze AWS logs that are generated for EKS systems.
    These contain metadata around starting and stopping containers.
    Below you can see a view of AWS logs collected in Cado Response:
    What Resources are available?

    kube-forensics allows a cluster administrator to


    dump the current state
    Community of a running pod and all its containers so that
    Resources security professionals can perform offline forensic
    analysis.

    We previously published a playbook dedicated to


    investigating compromises in EKS environments.
    Check out the GitHub repository with sample data
    Cado Security
    taken from a compromised EKS system, and an
    Resources
    associated talk on how to analyze it.
    What Remediation is available?

    https://aws.amazon.com/blogs/security/how-to-investigate-and-take-action-on-security-issues-in-
    amazon-eks-clusters-with-amazon-detective-part-2/
    Cado Response
    Free 14-day trial
    Receive unlimited access to the
    Cado Response Platform for 14
    days.

    www.cadosecurity.com/free-investigation/

    You might also like