Amazon EKS monitoring and security with Sysdig

By Eric Carter - JULY 31, 2021
amazon eks and sysdig

Amazon Elastic Kubernetes Service (Amazon EKS) provides Kubernetes as a managed service on AWS. EKS makes it easier to deploy, manage, and scale containerized applications using Kubernetes. The Sysdig Platform – featuring Sysdig Monitor and Sysdig Secure – provide Amazon EKS monitoring and security from a single, unified platform. Sysdig helps AWS customers ship cloud apps faster by helping them see more, secure more, and save time in troubleshooting deployed microservices.

Container and orchestration insights for Amazon EKS

Why Sysdig is so effective for monitoring and securing Amazon EKS – and any Kubernetes environment – is our approach to cloud, container, and orchestration integration.

  • ImageVision Helps teams identify, prioritize, and fix vulnerabilities across containers images and hosts, and in registries (e.g., Amazon ECR) and CI/CD pipelines (e.g., AWS CodePipeline)
  • ContainerVision provides visibility inside containers without invasive instrumentation for insight into workload behavior to understand performance, threats, and compliance.
  • ServiceVision enriches security events, vulnerability data, and metrics with orchestration and cloud metadata, such as region, cluster, namespace, and pod.
  • CloudVision taps into cloud logs (AWS CloudTrail) to identify and alert you to anomalous and unexpected activity across your cloud services such as AWS Lambda, Amazon RDS, and AWS IAM.

In essence, these technologies help you pinpoint where in your pipeline or cluster there are security or performance issues that need attention. With the ability to visualize and segment information by Kubernetes logical resources, like namespace, deployment, or pod, you see exactly what services are impacted, and where.

Auto-tagging events and metrics with cloud and orchestrator metadata

Your Amazon EKS environment includes thousands of labels and tags exposed by your infrastructure, containers, and microservices. Sysdig automatically collects these labels and tags and lets you group and segment your metrics. Therefore, it’s easy to “slice and dice” your environment views. This includes physical (e.g. EC2 instances) and logical (e,g. Kubernetes nodes, pods, etc.) details to see your services in a rich and powerful way.

For Amazon EKS monitoring and security, this means you have at your fingertips in-depth views to give you insight at any level. This includes top-level dashboards to individual metrics and security-event views, all the way down the process level. So, when something happens, say a pod crash and restart loop, or a data exfiltration event, you’re able to dig into the details. In short, Sysdig helps you quickly find the needle in the haystack and fix the problem.

Getting started with Sysdig and Amazon EKS

Getting started with Sysdig on Amazon EKS is simple and straightforward. With a lightweight container-agent installation, shipped as a Docker container and deployed as a DaemonSet, you’re ready to go. Specifically, the DaemonSet installation with Kubernetes ensures that all Nodes run a Pod with Sysdig. It automatically adds the monitoring and security agent as nodes are added to your cluster, significantly reducing management overhead. Plus, in the event of node failure, as workloads spin up elsewhere, so will the Sysdig agent to ensure the availability of your monitoring and security. See how here.

As you deploy services in your environment, as a primary source of container activity, Sysdig monitors system calls at the kernel level. Once in place, it automatically collects deep information from your AWS instances, containers, and EKS. As a result, you get real-time monitoring and security including:

360-degree views of Amazon EKS with Sysdig

Once you’re up and running, with Sysdig provides many ways to explore, view and analyze your Amazon EKS environment.

Explore:
Sysdig enables you to explore your Amazon EKS environment to see what’s happening at any level. You can view hosts and containers, or apply a Kubernetes grouping, drilling into your environment instead by something like AWS region > cluster > namespace > deployment > pods > containers. This provides an HTOP-like view of metrics like CPU, disk, memory, and network from the entire infrastructure down to the container-level. Color coding shows what’s abnormal for the purpose of helping you spot potential issues quickly. From here you can drill into dashboards and metric views automatically scoped by your selection in the explore tree.

EKS Sysdig Explore

Dashboards:

With Dashboards, you can view a summary of things like pod health with kube-state-metrics and Kubernetes service health with Golden Signals. These dashboards (and more) are included “out of the box.” However, you can also build your own custom views for any EKS metrics or information that are most important to you.

EKS Sysdig dashboard

Alerts:

Adaptive alerts notify you automatically via email, PagerDuty, Slack, etc. when events occur.  For instance, you can set an alert for a metric that exceeds a threshold such as CPU utilization higher than 90%. What’s more, you can be notified if a violation occurs against your configured security policies. Kubernetes node out of disk? Deployments degraded? Pods crashing? Someone running an unauthorized program in a container? You’ll receive an alert immediately.

EKS Sysdig alerts

Security events:

For your security team, you can get a summary of events for the last hour, or the last week, etc. and drill into policy violations in your EKS deployment. For example, if there is an attempt to read sensitive files (e.g. files containing user/password/authentication information), you’ll be able to identify, block, and further investigate the issue.

EKS Sysdig security event

Captures:

Finally, Sysdig simplifies security forensics and Kubernetes troubleshooting with system captures. Captures let you analyze system call and environment data and correlate details surrounding any alert or event using integrated open source Sysdig Inspect. Although your containers may be killed or gone, with Sysdig you’ll have the information you need for troubleshooting.

EKS Sysdig forensics troubleshooting

Learn more about Sysdig and Kubernetes

At Sysdig we invest a lot of effort into providing feature-rich support Kubernetes – and now Amazon EKS. In summary, our goal is to provide you with the intelligence you need to be successful. Whether you’re operating completely in the AWS cloud, or using AWS Outposts on prem, Sysdig will help you get results quickly by providing critical performance, health, and security insights.

On the whole, Sysdig solutions simplify your job of ensuring the containerized services you run on Amazon EKS are reliable, secure, and performing at their best. To learn more about securing and monitoring AWS cloud and container services, download the guide: Continuous Security for AWS Cloud and Containers.