We combine process automation with decades of experience of building secure, enterprise grade applications to provide your team with relevant and actionable security guidance.
Every cloud infrastructure provider maintains a version of the shared responsibility model. They are responsible for the security of the cloud, but your are responsible for the security of what you put in the cloud.
Is your cloud infrastructure effectively leveraging least priviledge for IAM roles? Are user, group, roles, and service accounts properly configured with only the access they need?
Are your APIs and control planes exposed on public IP addresses? A single DoS vulnerability or remote exploit could bring down the management layer or allow attackers in.
Are your storage endpoints exposing sensitive data publicly? Do you monitor all storage endpoints for changes to public access settings? Do you have a real-time inventory of all storage endpoints?
Issue | Severity | Effort |
---|---|---|
Identity and Access Management
Custom IAM Policy allows escalation to Admin
|
high | low |
Storage
AWS S3 Bucket is public
|
high | low |
Global
AWS Config Service is not configured
|
high | low |
Identity and Access Management
IAM ServiceAccountUser granted at the project
|
medium | medium |
Serverless
Outdated Lambda runtimes in use
|
medium | high |
Network Access
Security Group allows any access to tcp/6379
|
medium | low |
Identity and Access Management
External domains permitted in security groups
|
medium | low |
The out-of-the-box connectivity model of Kubernetes leads to a positive first-touch experience for developers. But no default Kubernetes installation has adequate security controls in place.
Security features like Pod Security Policies and Admission Controllers are add-ons and are often skipped or misconfigured. Without these properly configured features, administrators can easily expose the underlying hosts.
RBAC and namespaces are easy to misconfigure in ways that allow excessive admin privileges. Are your RBAC policies enforcing least privilege? Are your namespaces adequately segmented?
Issue | Severity | Effort |
---|---|---|
Security Addons
Network Policy support is not enabled
|
high | low |
Metadata API Access
Unprotected cloud Metadata APIs
|
high | low |
IAM Roles
IAM permissions grant cluster admin
|
high | low |
API Access
Control plane allows public access
|
high | medium |
Kubernetes Version
EKS version is not latest
|
medium | medium |
Containerization allows development teams to move fast, deploy software efficiently, and operate at scale. Are you taking steps to ensure your workloads are running securely?
Are you enforcing trusted sources for your container images? Are you enforcing specific image versions or hashes?
Are you embedding application secrets in environment variables - baking them into images? Or are you centrally managing and rotating secrets and credentials?
The "connected by default" state of Kubernetes makes it easy to get up and running. Are you adequately controlling ingress and egress networking from pods?
Issue | Severity | Effort |
---|---|---|
Cluster Security
Unprotected Tiller and cluster admin binding
|
high | low |
Secrets Management
Secrets statically configured in pod ENV vars
|
high | low |
Container Security
Inconsistent use of CPU/RAM requests/limits
|
high | medium |
Network Security
Network Policies are not implemented
|
high | medium |
Workload Availability
Pod Disruption Budgets not configured
|
medium | low |
Cluster Management
Orphaned persistent volumes found
|
low | low |
We're experts at securing the platforms you use.
Get updates when we release new tools and resources.