On August 3rd, 2021, USA's National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released, “Kubernetes Hardening Guidance”. The guide describes in great detail the challenges in the security k8s environment, base threat model and guidance on how to provide secure configuration to minimize risk.
As with any security guidelines, what is missing, or up to the user/security team, is how to validate, automate, customize, and implement those guidelines. Kubernetes environments vary widely, depending on usage, version, managed version (like GKE, EKS), requirements and capacity of the security team. All those factors will impact how you would want to implement those guidelines.
CloudQuery policies gives you a powerful way to automate, customize, codify, and run your cloud security & compliance continuously with HCL and SQL.
Here is a snippet from the NSA & CISA Kubernetes policy:
And here is an example of how we check if a container has privileged access.
The policy is split into sections (services) as sub-policies, so you can run either the whole policy, sub-policy or even a one specific check. The query itself is defined in a separate file, so we can re-use it in other policies in the future.
You are also free to fork this repository and create your own policy to adopt the guidelines to your needs.
Running this is as simple as ensuring your database has the latest cloud asset configuration with the fetch command and then executing each of pre-made queries with the policy run command.
Following is a quick start to run the policy. Otherwise, checkout full details on our docs.
You can also output the results into a json and pass them to downstream processing for automated monitoring and alerting.
Do you have a policy that you want to codify, or you’ve been running it with python or bash scripts? You are welcome to try out codifying it with CloudQuery Policies. Feel free to drop on discord or GitHub to get any help, and we will share your policy on CloudQuery Hub.