|Discuss topics related to compliance. See also <#CBXSAR45B||security>.|
@Erik Osterman (Cloud Posse) has joined the channel
@Ozzy Aluyi has joined the channel
@matt has joined the channel
@Jonathan Eunice has joined the channel
Yesterday’s discussion on FedRAMP, compliance != security, and related topics was excellent. Good to know I’m not struggling with these things alone.
Little background on us: 3Play Media Inc. takes in audio and video and processes it with combination of AI (really, ML, but who’s counting when “AI” is the hot hype word) and human review/correction to produce captions, subtitles, transcripts, audio descriptions, and other accessibility enhancements. We are Cloud Posse graduates (i.e. now in production). Our cloud product, the 3Play Platform, passes SOC 2 and GAAS audits and pentest on our EKS infrastructure/estate. Another part of 3Play passes separate TPN (Motion Picture Association) audit more oriented to on-prem processing model. We are also HIPAA, GDPR, CCPA/CPRA, FERPA, and Microsoft SSPA compliant (but we don’t formally audit against those). We’re consistently looking to harden and lock down (partly for security, partly to meet ever-rising, ever-encroaching customer demands esp. from media, entertainment, finance, and government customers/prospects). Currently using OneTrust Certification Automation (great for past 2 years, but seems to have stalled after Tugboat was acquired). Looking to upgrade program to better align with NIST SP 800-53 and friends and/or ISO 27001 (in addition to SOC 2 and TPN). We’ve talked about doing FedRAMP and have been requested to meet several crazy-deep custom finance infosec/GRC frameworks. They feel above our current station/capabilities, but we’re edging that direction to prepare for a future deal for which the business says “okay, it’s now worth it to comply, get going!”
@Hao Wang has joined the channel
@Sean has joined the channel
@Jim Conner has joined the channel
Thanks for starting the channel. I’m required to meet nearly all the compliance/authorization types. (ISOs,SOCs,PCI,HiTrust,FedRAMP, …).
yeah, we do fedramp and ISO – and one more iirc
I’m curious about how you folks, if you use RDBMS, manage the credential rotation requirements –
Depends what your auditor ends up requiring. The FedRAMP NIST controls don’t give, from what I recall, an exact rotation period.
It’s annoying that AWS don’t offer an RDS IAM Sidecar Proxy:
• That would eliminate cred management.
• This is another area where GCP are MILES AHEAD. ◦ They suggest you don’t use passwords, instead user their IAM proxy.
We’ve been contemplating building the equivalent for RDS and AWS IAM. Built a basic Go version a few years ago but never took it further.
Even have an issue raised by a friend: https://github.com/aws/containers-roadmap/issues/1508
• Please vote on this issue by adding a reaction to the original issue to help the community and maintainers prioritize this request • Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request • If you are interested in working on this issue or have submitted a pull request, please leave a comment
Tell us about your request
What do you want us to build?
A kubernetes sidecar similar to https://github.com/GoogleCloudPlatform/cloudsql-proxy that we can use together with the IAM Roles for Service Accounts feature to be able to connect to RDS databases transparently using IAM instead of RDS passwords.
Ideally the sidecar could be injected with an annotation by a mutating admission controller.
Which service(s) is this request for?
EKS, but such a proxy would also be useful outside kubernetes.
Tell us about the problem you’re trying to solve. What are you trying to do, and why is it hard?
I want my applications running in EKS to connect to RDS without having to use static passwords. Since you can use AWS IAM to get a temporary db auth token it would make sense to build a database proxy that can do that for you transparently. You’d connect to the proxy on 127.0.0.1:5432 and the proxy authenticates to RDS and forwards all traffic to RDS after that.
I didn’t encounter any solution yet that allows for connecting to RDS from existing applications with IAM without modifying the application source code.
Are you currently working around this issue?
I’m thinking about writing the proxy and the admission controller myself, but even if that’s the case it would be great if AWS would own the codebase.
Please add upvotes there to help with getting attention.
This would eliminate the need for RDS passwords. No rotation! No secret storage! No distributing! …
Or this approach, which I’ve been considering:
• cron job that gets new cred from IAM every 10 minutes and feeds it to pgBouncer (or the mysql equivalent) that’s running in a sidecar: https://sreeraj.dev/sidecar-containers/
Pods are the basic unit of deployment in k8s and in a typical k8s setup, your application container is probably running inside a pod. Pods themselves are containers, and you can run multiple containers sharing the same volume and network interfaces of the pod concurrently. This is called the sidecar
hmm…I’m not sure what you’re talking about as far as an RDS IAM sidecar proxy…but I’m guessing what you’re talking about is db users existing in IAM and the sidecar somehow injecting credentials into RDS?
Authenticate to your DB instance or cluster using AWS Identity and Access Management (IAM) database authentication.
forget that noise
we don’t have any users in IAM as we are 100% SSO for everything…so something like that probably wouldn’t be useful to us unless we broke our paradigm – we have a different set of methods for auth and I’m writing an operator which performs syncing between our vault storage and the databases which automatically rotates secrets every n days.
We don’t have users either. 100% SAML to AWS.
We have policies in place that block the ability to create IAM Users.
Talking about services here. Not people. For that, IRSA is the standard: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
Learn how applications in your Pods can access AWS services.
between our vault storage and the database Yeah. There are sidecars, like what I described for AWS IAM, that rotate from Vault automatically.
actually, vault doesn’t need a sidecar to rotate….however, in the way our environment works, vault’s native rotation will not work for us.
@Jeff May has joined the channel
@Fizz has joined the channel
@James has joined the channel
@Justin Erny has joined the channel
@Tom Atwood has joined the channel
@Allan Swanepoel has joined the channel
Another Security/Compliance tool to consider. Early version of it. Goal is to audit clusters against the “EKS Best Practices Guide (EBPG)“: https://aws.amazon.com/blogs/containers/hardeneks-validating-best-practices-for-amazon-eks-clusters-programmatically/
Introduction HardenEKS is an open source Python-based Command Line Interface (CLI). We created HardenEKS to make it easier to programmatically validate if an Amazon Elastic Kubernetes Service (Amazon EKS) cluster follows best practices defined in AWS’ EKS Best Practices Guide (EBPG). The EBPG is an essential resource for Amazon EKS operators who seek easier Day […]
@Hans D has joined the channel
@Soren Jensen has joined the channel
@Sam has joined the channel
@Nate G. has joined the channel
@Marcin has joined the channel
It came from SysDig and is CNCF Incubation.
Cloud Native Runtime Security