Viewing Host Vulnerabilities in AWS EKS Clusters

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L3 Networker
No ratings

By Mark Davis, Customer Success Engineer

 

Introduction 

 

A common customer question is how to view host vulnerabilities in the Asset Inventory for each Cloud Service Provider. Host vulnerabilities are easily identified in the Runtime Security Module, by selecting Monitor - Vulnerabilities - Hosts

 

Most Cloud Service Providers have a managed offering-- Azure has AKS, Google offers GKE, AWS has EKS and Red Hat offers RedHat openshift; in this article, specifically, we will focus on EKS. The container workloads for all of these managed offerings run on host machines and those machines can contain vulnerabilities.

 

The Prisma Cloud Command Center (Figure 1) and Vulnerabilities (Figure 2) dashboards are the first high level dashboards that provide visibility into Vulnerabilities, and its purpose is to identify top issues by severity for hosts, images and repositories.  In order to narrow the scope and filter based on EKS worker nodes in Cloud Security, it is recommended to explore the asset inventory.

 

 

unnamed.jpg

Figure 1:  Command Center Top Vulnerable Hosts_PaloAltoNetworks

 

 

unnamed.jpg

Figure 2:  Vulnerabilities Overview Dashboard_PaloAltoNetworks

 

The updated Asset Inventory (Figure 3) now displays host vulnerabilities that were previously available in the Compute module. We will also cover how to view vulnerabilities in your EKS worker nodes directly from the Asset Inventory and Asset explorer page.

 

 

unnamed.jpg

Figure 3:  Asset Inventory page showing assets with vulnerabilities_PaloAltoNetworks

 

The host vulnerabilities, if detected, will exist in AWS on the EKS service worker nodes that run on EC2.

 

Step 1

 

The easiest way to accomplish locating the EKS worker nodes with Asset Inventory is to use the ability to filter cloud resources in Prisma Cloud.

 

From Cloud Security - Select Inventory and create a filter as shown below

Cloud Type=AWS

Service Name=Amazon EC2

Asset Tag=Key:aws:eks:cluster-name:

 

These are the example results shown below in Figure 4.

 

 

unnamed.jpg

Figure 4:  Assets Inventory filter_PaloAltoNetworks


Every EKS worker node that is deployed will have several key-value pairs automatically added to each node at launch.  Below are a few keys I have identified that are common across all clusters and can be used to create filters to identify EKS worker nodes in Prisma Cloud Asset Inventory. In our example, we used the EKS cluster name, the 4th key below.

 

These keys can also be located in the AWS UI as TAGS on each EC2 instance assigned as a worker node.

 

"key""alpha.eksctl.io/nodegroup-type ",

"key""eks:nodegroup-name",

"key""aws:ec2:fleet-id",

"key""aws:eks:cluster-name",

 

Figure 5 below shows a total of 48 cloud resources that match the search filter. 43 of which have vulnerabilities. 39 Critical, 43 High, 43 medium and 41 low.

 

 

unnamed.jpg

Figure 5:  Filtered cloud Resources_PaloAltoNetworks

 

Step 2

 

Click on the total number from the results in figure 5 and it will take you to the asset explorer page with the filters shown in Figure 6 below.

 

 

unnamed.jpg

Figure 6:  results from the total number of filtered assets_PaloAltoNetworks

 

The results you receive from the asset explorer page seen in figure 7 below can be downloaded and given to the stakeholders that are responsible for the resources in a CSV format. The results on this page of 48 match the results from figure 2.

 

 

unnamed.jpg

Figure 7:  Filtered Results for download_PaloAltoNetworks

 

The results in CSV when downloaded will include all of the fields such as cloud account, resource name and id. I have redacted some information in figure 8 below, but keep in mind your download will have much more to display.

 

 

unnamed.jpg

Figure 8:  downloaded csv report_PaloAltoNetworks


Step 3

 

Technically you could stop here, but if you want to view more details about the vulnerabilities on the nodes click on the worker node name as shown in figure 9. 

 

 

unnamed.jpg

Figure 9:  Node with vulnerabilities filter_PaloAltoNetworks


This will bring up a sidecar page Figure 10 that will show the Findings Types, click on vulnerabilities.

 

 

unnamed.jpg

Figure 10:  Side car with total vulnerabilities_PaloAltoNetworks


The vulnerabilities page will display more details about the vulnerabilities on each host.  This page displays useful information such as CVE name, package in use, CVSS score as shown below in figure 11.

 

 

unnamed.jpg

Figure 11:  sidecar with useful vulnerability info shown_PaloAltoNetworks

 

You can also download the sidecar information as a CSV as shown below in figure 12.  The CSV download has much more information about the vulnerabilities such as Distro, CVE ID, page name and fix status.

 

 

unnamed.jpg

Figure 12:  downloaded csv example_PaloAltoNetworks

 

Step 4

You can also use the Prisma Cloud Resource Query Language to obtain visibility into the EKS worker nodes.

 

Bonus TIP!

Here is how we can use RQL to show results for all EKS worker nodes in a specific cloud account.  From Prisma Cloud, select Cloud Security, from the drill down - Select Investigate And type out or paste in the RQL query below and press Search. See Figure 13

 

 

unnamed.jpg

Figure 13:  Investigate Page_PaloAltoNetworks

 

config from cloud.resource where cloud.type = 'aws' AND api.name  = 'aws-ec2-describe-instances' AND json.rule = tags[*].key contains "eks:cluster-name"

 

The results from the query will contain a list of all the AWS EC2 instances with a key that contains eks:cluster-name as shown in Figure 14

 

 

unnamed.jpg

Figure 14:  RQL query used to show nodes with a tag_PaloAltoNetworks

 

If you click on the asset name from the results Prisma Cloud will launch the same sidecar page shown in Figure 11 above.

 

Conclusion  

 

This article guides you through the steps to view host vulnerabilities in your AWS EKS Service worker nodes directly from the Asset Inventory and Asset explorer page.

 

We used filters in the Asset Inventory page to view vulnerability data that normally is displayed in Compute.  Using the Asset Explorer is another way to obtain visibility into your environment and the output can be downloaded and provided to stakeholders to take action and remediate. 

 

References

 

Prisma Cloud Admin 

Prisma Cloud Dashboards -- Asset Inventory 

 

About the Author

 

Mark Davis is a Customer Success Engineer on the Prisma Cloud team, specializing in solving enterprise customer questions by empowering the customers with knowledge and guidance in protecting cloud resources and workloads. 

 

 

Rate this article:
  • 1185 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎11-01-2024 02:04 PM
Updated by: