#compliance (2023-06)

Discuss topics related to compliance. See also <#CBXSAR45Bsecurity>.


Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
01:29:03 PM

@Erik Osterman (Cloud Posse) has joined the channel

Ozzy Aluyi avatar
Ozzy Aluyi
01:29:28 PM

@Ozzy Aluyi has joined the channel

matt avatar
01:29:34 PM

@matt has joined the channel

Jonathan Eunice avatar
Jonathan Eunice
01:29:34 PM

@Jonathan Eunice has joined the channel

Jonathan Eunice avatar
Jonathan Eunice

Yesterday’s discussion on FedRAMP, compliance != security, and related topics was excellent. Good to know I’m not struggling with these things alone.

Jonathan Eunice avatar
Jonathan Eunice

Little background on us: 3Play Media Inc. takes in audio and video and processes it with combination of AI (really, ML, but who’s counting when “AI” is the hot hype word) and human review/correction to produce captions, subtitles, transcripts, audio descriptions, and other accessibility enhancements. We are Cloud Posse graduates (i.e. now in production). Our cloud product, the 3Play Platform, passes SOC 2 and GAAS audits and pentest on our EKS infrastructure/estate. Another part of 3Play passes separate TPN (Motion Picture Association) audit more oriented to on-prem processing model. We are also HIPAA, GDPR, CCPA/CPRA, FERPA, and Microsoft SSPA compliant (but we don’t formally audit against those). We’re consistently looking to harden and lock down (partly for security, partly to meet ever-rising, ever-encroaching customer demands esp. from media, entertainment, finance, and government customers/prospects). Currently using OneTrust Certification Automation (great for past 2 years, but seems to have stalled after Tugboat was acquired). Looking to upgrade program to better align with NIST SP 800-53 and friends and/or ISO 27001 (in addition to SOC 2 and TPN). We’ve talked about doing FedRAMP and have been requested to meet several crazy-deep custom finance infosec/GRC frameworks. They feel above our current station/capabilities, but we’re edging that direction to prepare for a future deal for which the business says “okay, it’s now worth it to comply, get going!”

Hao Wang avatar
Hao Wang
02:20:53 PM

@Hao Wang has joined the channel

Sean avatar
02:45:47 PM

@Sean has joined the channel

Jim Conner avatar
Jim Conner
02:46:58 PM

@Jim Conner has joined the channel

Sean avatar

Thanks for starting the channel. I’m required to meet nearly all the compliance/authorization types. (ISOs,SOCs,PCI,HiTrust,FedRAMP, …).

Jim Conner avatar
Jim Conner

yeah, we do fedramp and ISO – and one more iirc

Jim Conner avatar
Jim Conner

I’m curious about how you folks, if you use RDBMS, manage the credential rotation requirements –

Sean avatar

Depends what your auditor ends up requiring. The FedRAMP NIST controls don’t give, from what I recall, an exact rotation period.

It’s annoying that AWS don’t offer an RDS IAM Sidecar Proxy:

• That would eliminate cred management.

• This is another area where GCP are MILES AHEAD. ◦ They suggest you don’t use passwords, instead user their IAM proxy.

Sean avatar

We’ve been contemplating building the equivalent for RDS and AWS IAM. Built a basic Go version a few years ago but never took it further.

Sean avatar

Even have an issue raised by a friend: https://github.com/aws/containers-roadmap/issues/1508

#1508 [EKS] [request]: RDS IAM Proxy Sidecar injector to allow connecting to RDS from pods with IAM Roles instead of passwords

Community Note

• Please vote on this issue by adding a reaction to the original issue to help the community and maintainers prioritize this request • Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
What do you want us to build?

A kubernetes sidecar similar to https://github.com/GoogleCloudPlatform/cloudsql-proxy that we can use together with the IAM Roles for Service Accounts feature to be able to connect to RDS databases transparently using IAM instead of RDS passwords.
Ideally the sidecar could be injected with an annotation by a mutating admission controller.

Which service(s) is this request for?
EKS, but such a proxy would also be useful outside kubernetes.

Tell us about the problem you’re trying to solve. What are you trying to do, and why is it hard?
I want my applications running in EKS to connect to RDS without having to use static passwords. Since you can use AWS IAM to get a temporary db auth token it would make sense to build a database proxy that can do that for you transparently. You’d connect to the proxy on and the proxy authenticates to RDS and forwards all traffic to RDS after that.

I didn’t encounter any solution yet that allows for connecting to RDS from existing applications with IAM without modifying the application source code.

Are you currently working around this issue?
I’m thinking about writing the proxy and the admission controller myself, but even if that’s the case it would be great if AWS would own the codebase.

Sean avatar

Please add upvotes there to help with getting attention.

This would eliminate the need for RDS passwords. No rotation! No secret storage! No distributing! …

Sean avatar

Or this approach, which I’ve been considering:

• cron job that gets new cred from IAM every 10 minutes and feeds it to pgBouncer (or the mysql equivalent) that’s running in a sidecar: https://sreeraj.dev/sidecar-containers/

Using sidecar containers in k8sattachment image

Pods are the basic unit of deployment in k8s and in a typical k8s setup, your application container is probably running inside a pod. Pods themselves are containers, and you can run multiple containers sharing the same volume and network interfaces of the pod concurrently. This is called the sidecar

Jim Conner avatar
Jim Conner

hmm…I’m not sure what you’re talking about as far as an RDS IAM sidecar proxy…but I’m guessing what you’re talking about is db users existing in IAM and the sidecar somehow injecting credentials into RDS?

Jim Conner avatar
Jim Conner
IAM database authentication for MariaDB, MySQL, and PostgreSQL - Amazon Relational Database Service

Authenticate to your DB instance or cluster using AWS Identity and Access Management (IAM) database authentication.

Jim Conner avatar
Jim Conner

it’s java

Jim Conner avatar
Jim Conner

forget that noise

Jim Conner avatar
Jim Conner

we don’t have any users in IAM as we are 100% SSO for everything…so something like that probably wouldn’t be useful to us unless we broke our paradigm – we have a different set of methods for auth and I’m writing an operator which performs syncing between our vault storage and the databases which automatically rotates secrets every n days.

Sean avatar

We don’t have users either. 100% SAML to AWS.

Sean avatar

We have policies in place that block the ability to create IAM Users.

Sean avatar

Talking about services here. Not people. For that, IRSA is the standard: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html

IAM roles for service accounts - Amazon EKS

Learn how applications in your Pods can access AWS services.

Sean avatar

between our vault storage and the database
Yeah. There are sidecars, like what I described for AWS IAM, that rotate from Vault automatically.

Jim Conner avatar
Jim Conner

actually, vault doesn’t need a sidecar to rotate….however, in the way our environment works, vault’s native rotation will not work for us.

Jeff May avatar
Jeff May
08:18:22 PM

@Jeff May has joined the channel

Fizz avatar
09:58:22 PM

@Fizz has joined the channel

James avatar
01:58:22 AM

@James has joined the channel


Justin Erny avatar
Justin Erny
11:27:53 PM

@Justin Erny has joined the channel


Tom Atwood avatar
Tom Atwood
12:41:52 AM

@Tom Atwood has joined the channel

Allan Swanepoel avatar
Allan Swanepoel
12:58:42 AM

@Allan Swanepoel has joined the channel


Sean avatar

Another Security/Compliance tool to consider. Early version of it. Goal is to audit clusters against the “EKS Best Practices Guide (EBPG)“: https://aws.amazon.com/blogs/containers/hardeneks-validating-best-practices-for-amazon-eks-clusters-programmatically/

HardenEKS: Validating Best Practices For Amazon EKS Clusters Programmatically | Amazon Web Servicesattachment image

Introduction HardenEKS is an open source Python-based Command Line Interface (CLI). We created HardenEKS to make it easier to programmatically validate if an Amazon Elastic Kubernetes Service (Amazon EKS)  cluster follows best practices defined in AWS’ EKS Best Practices Guide (EBPG). The EBPG is an essential resource for Amazon EKS operators who seek easier Day […]



Hans D avatar
Hans D
08:42:07 AM

@Hans D has joined the channel

Soren Jensen avatar
Soren Jensen
10:21:34 PM

@Soren Jensen has joined the channel


Sam avatar
06:10:06 AM

@Sam has joined the channel


Nate G. avatar
Nate G.
07:12:50 PM

@Nate G. has joined the channel


Marcin avatar
07:56:15 PM

@Marcin has joined the channel


Sean avatar

(Continuing SIEM discussion from office-hours) Another great tool for SIEM related activities is Falco. https://falco.org/ https://github.com/falcosecurity/falco

It came from SysDig and is CNCF Incubation.



Cloud Native Runtime Security

Falcoattachment image

Runtime Security