These Cisco Terms of Use (this “Agreement”) between You and Cisco cover Your use of the Software and Cloud Services (“Cisco Technology”) obtained through this site. The Cisco Technology is intended for use by business users. Definitions of capitalized terms are in Section 11.
You agree to be bound by the terms of this Agreement through (a) Your download, installation, or use of the Cisco Technology; or (b) Your express agreement to this Agreement. If You do not have authority to enter into this Agreement or You do not agree with its terms, do not use the Cisco Technology.
Section 2. Using Cisco Technology
2.1 License and Right to Use. Cisco grants You, for Your direct benefit during the Usage Term and for the full scope of Your Entitlement under this Agreement, a non-exclusive, non-transferable (except with respect to Software as permitted under the Cisco Software Transfer and Re-Use Policy) (a) license to use the Software; and (b) right to use the Cloud Services (collectively, the “Usage Rights”).
2.2 Use by Third Parties. You may permit Authorized Third Parties to exercise the Usage Rights on Your behalf, provided that You are responsible for (a) ensuring that such Authorized Third Parties comply with this Agreement; and (b) any breach of this Agreement by such Authorized Third Parties.
2.3 Free Service. Cisco is making this Cisco Technology available to You without charge, up to certain capacity limits as described in Section 10 below, and subject to the terms of this Agreement. You agree that Cisco, in its sole discretion and for any or no reason, may terminate Your Usage Rights (or any part thereof) and that any termination may be without prior notice and without liability to Cisco. Cisco may, for example, suspend or terminate Your Usage Rights if (i) Cisco has reason to believe that You engaged in any fraudulent behaviour as it relates to the Cloud Services, or (ii) You use Cisco Technology beyond Your Entitlement. You are solely responsible for exporting Your customer data from the Cisco Technology prior to termination, and, except as required by law, Cisco will provide You a reasonable opportunity to retrieve such data.
2.4 Upgrades or Additional Copies of Software. You may only use Upgrades or additional copies of the Software beyond Your Entitlement if You have (a) acquired those rights under a support agreement covering the applicable Software; or (b) You have purchased the right to use Upgrades or additional copies separately.
2.5 Interoperability of Software. If required by law and upon Your request, Cisco will provide You with the information needed to achieve interoperability between the Software and another independently created program, provided You agree to any additional terms reasonably required by Cisco. You will treat such information as Confidential Information.
Section 3. Additional Conditions of Use
3.1 Cisco Technology Generally. Unless expressly agreed by Cisco, You may not (a) transfer, sell, sublicense, monetize, or make the functionality of any Cisco Technology available to any third party; (b) use the Software on second hand or refurbished Cisco equipment not authorized by Cisco, or use Software that is licensed for a specific device on a different device (except as permitted under Cisco’s Software License Portability Policy); (c) remove, modify, or conceal any product identification, copyright, proprietary, intellectual property notices or other marks; (d) reverse engineer, decompile, decrypt, disassemble, modify, or make derivative works of the Cisco Technology; or (e) use Cisco Content other than as part of Your permitted use of the Cisco Technology.
3.2 Cloud Services. You will not intentionally (a) interfere with other users’ access to, or use of, the Cloud Service, or with its security; (b) facilitate the attack or disruption of the Cloud Service, including a denial of service attack, unauthorized access, penetration testing, crawling, or distribution of malware (including viruses, trojan horses, worms, time bombs, spyware, adware, and cancelbots); (c) cause an unusual spike or increase in Your use of the Cloud Service that negatively impacts the Cloud Service’s operation; or (d) submit any information that is not contemplated in the applicable Documentation.
3.3 Evolving Cisco Technology. Cisco may: (a) enhance or modify the features, functionality, and capacity limits of this Cisco Technology at any time, in its sole discretion, without liability; and (b) perform scheduled maintenance of the infrastructure and software used to provide the Cloud Service, during which time You may experience some disruption to that Cloud Service. Whenever reasonably practicable, Cisco will provide You with advance notice of such maintenance. You acknowledge that, from time to time, Cisco may need to perform emergency maintenance without providing You advance notice, during which time Cisco may temporarily suspend Your access to, and use of, the Cloud Service.
Cisco reserves the right (a) to end the life of this Cisco Technology, including component functionality, (“EOL”), and/or (b) to incorporate all or some of the features and functionality of this Cisco Technology into a Cisco paid offer at any time, in its sole discretion, and without liability (“Cisco Offering”). Any new Cisco Offering will be subject to its own terms and conditions.
3.4 Protecting Account Access. You will keep all account information up to date, use reasonable means to protect Your account information, passwords and other login credentials, and promptly notify Cisco of any known or suspected unauthorized use of or access to Your account.
3.5 Use with Third-Party Products. If You use the Cisco Technology together with third-party products, such use is at Your risk. You are responsible for complying with any third-party provider terms, including its privacy policy. Cisco does not provide support or guarantee ongoing integration support for products that are not a native part of the Cisco Technology.
3.6 Open Source Software. Open source software not owned by Cisco is subject to separate license terms as set out at www.cisco.com/go/opensource. The applicable open source software licences will not materially or adversely affect Your ability to exercise Usage Rights in applicable Cisco Technology.
Section 4. Confidential Information and Use of Data
4.1 Confidentiality. Recipient will hold in confidence and use no less than reasonable care to avoid disclosure of any Confidential Information to any third party, except for its employees, affiliates, and contractors who have a need to know (“Permitted Recipients”). Recipient: (a) must ensure that its Permitted Recipients are subject to written confidentiality obligations no less restrictive than the Recipient’s obligations under this Agreement, and (b) is liable for any breach of this Section by its Permitted Recipients. Such nondisclosure obligations will not apply to information that: (i) is known by Recipient without confidentiality obligations; (ii) is or has become public knowledge through no fault of Recipient; or (iii) is independently developed by Recipient. Recipient may disclose Discloser’s Confidential Information if required under a regulation, law or court order provided that Recipient provides prior notice to Discloser (to the extent legally permissible) and reasonably cooperates, at Discloser’s expense, regarding protective actions pursued by Discloser. Upon the reasonable request of Discloser, Recipient will either return, delete or destroy all Confidential Information of Discloser and certify the same.
4.2 How We Use Data. Cisco will access, process and use data in connection with Your use of the Cisco Technology in accordance with applicable privacy and data protection laws. For further detail, please visit Cisco’s Security and Trust Center.
4.3 Notice and Consent. To the extent Your use of the Cisco Technology requires it, You are responsible for providing notice to, and obtaining consents from, individuals regarding the collection, processing, transfer and storage of their data through Your use of the Cisco Technology.
Section 5. Ownership
Except where agreed in writing, nothing in this Agreement transfers ownership in, or grants any license to, any intellectual property rights. You retain any ownership of Your content and Cisco retains ownership of the Cisco Technology and Cisco Content. You acknowledge and agree that any questions, comments, suggestions, ideas, feedback or other information about this Cisco Technology provided by You to Cisco (“Feedback”) are non-confidential and Cisco may use any Feedback You provide in connection with Your use of the Cisco Technology as part of its business operations without acknowledgment or compensation to You.
Section 6. Warranties and Representations
To the extent allowed by applicable law, Cisco expressly disclaims all warranties and conditions of any kind, express or implied, including without limitation any warranty, condition or other implied term as to merchantability, fitness for a particular purpose or non-infringement, or that the Cisco Technology will be secure, uninterrupted or error free. If You are a consumer, You may have legal rights in Your country of residence that prohibit the limitations set out in this Section from applying to You, and, where prohibited, they will not apply
Section 7. Liability
Neither party will be liable for indirect, incidental, exemplary, special, or consequential damages; loss or corruption of data or interruption or loss of business; or loss of revenues, profits, goodwill, or anticipated sales or savings. The maximum aggregate liability of each party under this Agreement is limited to $5,000 USD. These limitations of liability do NOT apply to liability arising from (a) Your breach of Sections 2.1 (License and Right to Use), 3.1 (Cisco Technology Generally), 3.2 (Cloud Services) or 9.7 (Export). These limitations of liability apply whether the claims are in warranty, contract, tort (including negligence), infringement, or otherwise, even if either party has been advised of the possibility of such damages. Nothing in this Agreement limits or excludes any liability that cannot be limited or excluded under applicable law. These limitations of liability are cumulative and not per incident.
Section 8. Termination and Suspension
8.1 Suspension. Cisco may immediately suspend Your Usage Rights if You breach Sections 2.1 (License and Right to Use), 3.1 (Cisco Technology Generally), 3.2 (Cloud Services) or 9.7 (Export).
8.2 Termination. Cisco, in its sole discretion and for any or no reason, may terminate Your access to this Cisco Technology or any part thereof and any termination may be without prior notice and without liability to Cisco. Cisco may, for example, suspend or terminate Your access immediately if You breach Sections 2.1 (License and Right to Use), 3.1 (Cisco Technology Generally), 3.2 (Cloud Services), or 9.7 (Export). Upon termination of this Agreement, You must stop using the Cisco Technology and destroy any copies of Software and Confidential Information within Your control.
Section 9. General Provisions
9.1 Survival. Sections 4 (Confidential Information and Use of Data), 5 (Ownership), 7 (Liability), 8 (Termination and Suspension), and 9 (General Provisions) survive termination or expiration of this Agreement.
9.2 Third-Party Beneficiaries. This Agreement does not grant any right or cause of action to any third party.
9.3 Assignment and Subcontracting. Except as set out below, neither party may assign or novate this Agreement in whole or in part without the other party’s express written consent. Cisco may (a) by written notice to You, assign or novate this Agreement in whole or in part to an Affiliate of Cisco, or otherwise as part of a sale or transfer of any part of its business; or (b) subcontract any performance associated with the Cisco Technology to third parties, provided that such subcontract does not relieve Cisco of any of its obligations under this Agreement.
9.4 U.S. Government End Users. The Software, Cloud Services and Documentation are deemed to be “commercial computer software” and “commercial computer software documentation” pursuant to FAR 12.212 and DFARS 227.7202. All U.S. Government end users acquire the Cisco Technology and Documentation with only those rights set forth in this Agreement. Any provisions that are inconsistent with federal procurement regulations are not enforceable against the U.S. Government
9.5 Modifications to this Agreement. Cisco may change this Agreement or any of its components by updating it on Cisco.com and/or the Documentation page, which can be found at https://community.cisco.com/. Cisco will exercise commercially reasonable efforts to provide notice of any material changes to this Agreement, and within three (3) business days of posting changes to this Agreement, they will be binding. If you do not agree with the changes, you must discontinue using the Cisco Technology at that time. If you continue using the Cisco Technology after that time, you will be deemed to have accepted the changes to this Agreement.
9.6 Compliance with Laws. Each party will comply with all laws and regulations applicable to their respective obligations under this Agreement. Cisco may restrict the availability of the Cisco Technology in any particular location or modify or discontinue features to comply with applicable laws and regulations.
If You use the Cisco Technology in a location with local laws requiring a designated entity to be responsible for collection of data about individual end users and transfer of data outside of that jurisdiction (e.g., Russia and China), You acknowledge that You are the entity responsible for complying with such laws.
9.7 Export. Cisco’s Software, Cloud Services, products, technology, and services (collectively the “Cisco Products”) are subject to U.S. and local export control and sanctions laws. You acknowledge and agree to the applicability of and Your compliance with those laws, and You will not receive, use, transfer, export, or re-export any Cisco Products in a way that would cause Cisco to violate those laws. You also agree to obtain any required licenses or authorizations
9.8 Governing Law and Venue. This Agreement, and any disputes arising from it, will be governed exclusively by the applicable governing law below, based on Your primary place of business (or primary residence, if you are not a business) and without regard to conflicts of laws rules or the United Nations Convention on the International Sale of Goods. The courts located in the applicable venue below will have exclusive jurisdiction to adjudicate any dispute arising out of or relating to the Agreement or its formation, interpretation or enforcement. Each party hereby consents and submits to the exclusive jurisdiction of such courts. Regardless of the below governing law, either party may seek interim injunctive relief in any court of appropriate jurisdiction with respect to any alleged breach of Cisco’s intellectual property or proprietary rights
Your Primary Place of Business Governing Law Jurisdiction and Venue
Any location not specified below
| State of California, United States of America | Superior Court of California, County of Santa Clara and Federal Courts of the Northern District of California
| Australia | Laws of the State of New South Wales, Australia | State and Federal Courts of New South Wales |
| Canada | Province of Ontario, Canada | Courts of the Province of Ontario |
| China | Laws of the People’s Republic of China | Hong Kong International Arbitration Center |
| Europe (excluding Italy), Middle East, Africa, Asia (excluding Japan and China), Oceania (excluding Australia) | Laws of England | English Courts |
| Italy | Laws of Italy | Court of Milan |
| Japan | Laws of Japan | Tokyo District Court of Japan |
| United States, Latin America or the Caribbean | State of California, United States of America | Superior Court of California, County of Santa Clara and Federal Courts of the Northern District of California |
If You are a United States public sector agency or government institution located in the United States, the laws of the primary jurisdiction in which You are located will govern this Agreement and any disputes arising from it. For U.S. Federal Government users, this Agreement will be controlled and construed under the laws of the United States of America.
9.9 Notice. Any notice delivered by Cisco to You under this Agreement will be delivered on Cisco.com. Notices to Cisco should be sent to Cisco Systems, Inc., Office of General Counsel, 170 West Tasman Drive, San Jose, CA 95134.
9.10 Force Majeure. Neither party will be responsible for failure to perform its obligations due to an event or circumstances beyond its reasonable control.
9.11 No Waiver. Failure by either party to enforce any right under this Agreement will not waive that right.
9.12 Severability. If any portion of this Agreement is not enforceable, it will not affect any other terms.
9.13 Entire agreement. This Agreement is the complete agreement between the parties with respect to the subject matter of this Agreement and supersedes all prior or contemporaneous communications, understandings or agreements (whether written or oral).
9.14 Translations. Cisco may provide local language translations of this Agreement in some locations. You agree that those translations are provided for informational purposes only and if there is any inconsistency, the English version of this Agreement will prevail.
9.15 Order of Precedence. If there is any conflict between this Agreement and any Cisco policies expressly referenced in this Agreement, the order of precedence is: (a) this Agreement; then (b) any applicable Cisco policy expressly referenced in this Agreement.
9.16 Language Election for Purchasers in Quebec. You confirm Your Agreement that this Cisco Technology is currently provided in English only.
Section 10. Additional Terms
10.1 Restrictions on Use by Minor Children. This Cisco Technology is not intended for use by persons younger than the age of consent in their relevant jurisdiction (e.g.,13 years old in the United States under the US Children’s Online Privacy Protection Act of 1998, or 16 or 13 years old in the European Union as per Member State law) (“Minor Children”). Minor Children are not permitted to create an account and You will not authorize Minor Children to access the Cisco Technology.
10.2 Capacity Restrictions. Your right to access and use this Cisco Technology is currently limited to five (5) nodes dedicated to applications/microservices.
10.3 Limited Community Support. This Cisco Technology is provided on a free-of-charge basis, as-is, and without support. Cisco has no obligation to maintain, repair, or upgrade this Cloud Service and Cisco will not provide user support services in connection with this Cisco Technology. User can refer to self-service help materials that cover a range of topics or reach out to our community forum to engage in community support discussions on our Documentation page at https://community.cisco.com/. Cisco makes no representations about and has no liability for these community support resources. All use of these resources, and the advice and guidance therein, is at Your own risk.
10.4 No Competitive Analysis. By agreeing to these terms, You represent and warrant that you will not use this Cisco Technology or its Documentation to (a) copy ideas, features, functions, or graphics; (b) develop competing products or services; or (c) perform competitive analyses.
10.5 Beta Functionality. User acknowledges and agrees that all or some components or functionality of the Cisco Technology may be in beta stage and may not have been (and may not become) productized or commercialized. You acknowledge that Your use and evaluation of this Cisco Technology is at Your own risk.
Section 11. Definitions
“Affiliate” means any corporation or company that directly or indirectly controls, or is controlled by, or is under common control with the relevant party, where “control” means to: (a) own more than 50% of the relevant party; or (b) be able to direct the affairs of the relevant party through any lawful means (e.g., a contract that allows control).
“Authorized Third Parties” means Your Users, Your Affiliates, Your third-party service providers, and each of their respective Users, permitted to access and use the Cisco Technology on Your behalf as part of Your Entitlement.
“Cisco” “we” “our” or “us” means Cisco Systems, Inc. or its applicable Affiliate(s).
“Cisco Content” means any (a) content or data provided by Cisco to You as part of Your use of the Cisco Technology and (b) content or data that the Cisco Technology generates or derives in connection with Your use. Cisco Content includes geographic and domain information, rules, signatures, threat intelligence, and data feeds, and Cisco’s compilation of suspicious URLs.
“Cloud Service” means the Cisco hosted software-as-a-service offering or other Cisco cloud-enabled feature described in this Agreement. Cloud Services include applicable Documentation and may also include Software.
“Confidential Information” means non-public proprietary information of the disclosing party (“Discloser”) obtained by the receiving party (“Recipient”) in connection with this Agreement, which is (a) conspicuously marked as confidential or, if verbally disclosed, is summarized in writing to the Recipient within a reasonable time period after disclosure and marked as confidential; or (b) is information which by its nature should reasonably be considered confidential whether disclosed in writing or verbally.
“Delivery Date” means the date on which the Cloud Service is made available for Your use or, when Usage Rights in Software and Cloud Services are granted together, the earlier of the date Software is made available for download, or the date on which the Cloud Service is made available for Your use.
“Documentation” means the technical specifications and usage materials officially published by Cisco or available on https://community.cisco.com/ specifying the functionalities and capabilities of the applicable Cisco Technology.
“Entitlement” means the specific metrics, duration, and quantity of Cisco Technology that You acquire from Cisco under this Agreement.
“Software” means the Cisco computer programs including Upgrades, firmware and applicable Documentation.
“Upgrades” means all updates, upgrades, bug fixes, error corrections, enhancements and other modifications to the Software.
“Usage Term” means the period commencing on the Delivery Date and continuing until expiration or termination of the Entitlement, during which period You have the right to use the applicable Cisco Technology.
“User” means the individuals (including contractors or employees) permitted to access and use the Cisco Technology on Your behalf as part of Your Entitlement.
“You” means the individual or legal entity using the Cisco Technology.
NEW Cloud Security Academy Level up your skills with hands-on lessons. Get started
In our latest blog in the Microsoft Defender on AWS Series, we introduced a tool created from the ground up by the Panoptica Office of the CISO, the Amazon Elastic Kubernetes Services (EKS) Creation Engine (ECE). The most obvious question to ask is “why?” Despite the fact there is a large ecosystem of tools for the creation of EKS, we wanted to create ECE to simplify the creation of secure EKS clusters and offer plugins to extend security functionality that did not exist in our idealized vision. This blog is meant to offer up some answers to initial skepticism, go into background about how the tool was created (it was an accident!), use cases for the tool, and an explanation of some of the code pieces.
A Tool Is Born
If you follow the Technical CISO Diaries series (any post by the Panoptica Office of the CISO), or anything specifically from the Panoptica Security Research team, you may know that we pay special attention to Kubernetes. We research it, we use it to host workloads, and have a personal stake in ensuring that it is secure for our customers, our community, and our own use.
If there is one glaring hole in the AWS creation process it is that AWS’ own security best practices are not followed all the time. With EKS, the console experience is that the cluster endpoint is Public, the Nodegroup EBS volumes are unencrypted, logs are off by default, the created security group allows all traffic in a “talk-to-self” rule, Kubernetes Secrets encryption is disabled by default, and you do not get much of a say for Node customization without a bit of a confusing workflow and documentation spread out across three services (EC2, Autoscaling, and EKS). Sure, if you know what you are doing, you can just override those less-than-ideal settings or you can pick up an IaC template, but what about the population that does not know that and explicitly trusts AWS?
As security professionals we often have a bias regarding the distribution of skill, not every single person working in the cloud is a security expert, and not every single security expert specializes in the same areas we do. More to the point, there are companies or individuals running workloads on AWS without formal security oversight or employees at all. Expecting every single person to comb through all documentation and inherently know the race conditions, pitfalls, considerations, and configurations to make every workload secure is preposterous. Using IaC templates require another skillset as well, and the learning curve can be steep to deduce what is being built or if the original author did their due diligence.
This, combined with the fact that we needed a quick way to spin up a bunch of different clusters, bootstrap and test multiple security tools with minimal touch, and test out a variety of operating systems and OS architectures necessitates a quick tool. What was going to be a set of scripts, quickly expanded, as creating the absolute minimum necessary secure configurations across all AWS services to get an EKS Cluster up and running is plentiful. After a bit of polish (with admittedly a lot more to go) ECE was suddenly born and the decision to open source it to benefit the community at large, accelerated development and modularity.
Why Use This Tool?
That is the main question though, isn’t it? While we’ll never assume the skill level of all readers of our blog posts, there is a good chance you are (still) balking at this if you even made it this far. As mentioned, it was originally a set of internal scripts that were much more formalized once we realized that there was a need to fill. If you do not want to read our prose (there is some poetry there too), we compiled a quick list for you:
Simplifies the entire creation process, all you need to do is bring your own VPC and Subnets
Applies all security best practices (encryption, monitoring, least privilege) that AWS recommends but does not do themselves
Bootstraps popular security and observability tools on your behalf, during creation or afterwards
Supports custom AMIs and various OS flavors out of the box, and bootstraps for you, including private instances
Supports future updates, security assessments, and service installation
Will roll back all infrastructure on errors and failures
Supports manual deletions if you’re not happy
No domain-specific language to learn or state to manage
Applies tags to everything to track provenance (who created it, when)
And from our Repository, here is a nice graphic showing the secure defaults you can enjoy by default versus what AWS provides.
We have already covered the reasons to use this tool over the default AWS console experience, ECE will take care of the creation and configuration of supporting services (EC2 Security Groups, IAM Roles, KMS Keys and Key Policies) to cover the areas that the EKS Console is lacking by default. We go further by ensuring that we can support custom AMIs out of the box, we ensure that all other dependent services are just as secure as your Cluster and apply other AWS best practices which are not followed by default – such as easy configuration of VPC-isolated (private) instances, using Volume Encryption, and using the Instance Metadata Service V2 only.
While it would be easy to create all those different things yourself, via IaC or manually, from experience, bodies of knowledge like that are either isolated or grow out of control. Suddenly, you have a very busy GitHub, Confluence, GitLab, or SharePoint with different CLI commands, scripts (Base64-encoded or not), IaC templates, user guides, AMI IDs sent around Slack channels, and it quickly gets out of control. One of the hardest things to achieve in security is uniform governance – the larger the teams, the more diverse the tech stack, the harder it is to maintain. So, while it is possible to do it on your own, ECE gives you the most secure configurations you can muster by default and generates all those scripts and one-off conditional configurations for you.
Other areas of struggle within the governance storyline are provenance, tracking the age of assets, who created them, what they were created with, and so on. CloudFormation does a good job of applying managed AWS tags but Terraform won’t do it unless you add them per resource, so we did it for you. It is also easy to be lulled into the trap of re-using the same Security Group, same KMS Key, or same IAM Role for every single similar workload you create. This drastically increases the blast radius, not instead of one IAM Role aiding in adversarial (or red team) compromise of your cluster – they can take control of orders of magnitude more. All your infrastructure is still cattle, but it is consolidated into its own fiefdom per run of ECE for a cluster.
Beyond the obvious ease of infrastructure procurement, we also extend ECE into a tool you can use to post-provision your cluster. Installing and configuring tools such as Falco or Datadog are not necessarily hard on their own, but the documentation can be confusing for a first-time user, so we take the guess work out of it. Helm chart management, apply Charts, keeping them updated, ensuring they work with each other? We handle that for you. And while AWS has two native ways to scan containers (Inspector and ECR) we wrapped Trivy and Kube-bench (a CIS benchmark tool) with a unified output in SARIF JSON that you can use on any other EKS cluster.
When it comes to using scripts, one complaint is cleaning up resources, and we also take care of that with ECE. Like a Terraform Apply gone awry or a CloudFormation Stack out of whack, to give you peace of mind we ensure errors of any kind trigger rollbacks to keep orphaned infrastructure questions out of your Slack. This extends to scheduled deletions as well, if you ever wanted to get rid of an EKS Cluster deployed by ECE or otherwise, we will attempt to find all related infrastructure (IAM, KMS, Launch Templates) and remove them safely on your behalf and let you know if we couldn’t. In this way, it gives you the experience of using an IaC tool without the bitter defeat of template errors as you write them on your own.
Using the Tool and Code Review
Note: In this section we will overexplain various arguments, recycle previously provided snippets from the ECE documentation and other blogs, and provide truncated Python snippets. Feel free to skip this section if you are not interested in it.
In our documentation, one of the largest blobs of text is the output of the “help” menu presenting a very large number of arguments, which can be a bit confusing. We have provided different scenario-based inputs you can provide, but it can still use some extra explanation. The centerpiece of the ECE is the “--mode" argument which tells ECE what you want to do. This defaults to creating clusters, but can be used for updates, deletions, or running any over the various module plugins independently and delete them as well. It is a different set of flags completely to apply the different plugins at creation time, as they are all defaulted not to run.
For instance, if you wanted to apply every available installation plugin while you created a cluster while using our default naming conventions for the various resources your command would look like the below snippet, we specify the mode here, but it always defaults to create unless otherwise overridden.
# Ensure you replace the values for empty environment variables below
PRIVATE_SUBNET_ONE='fill_me_in'
PRIVATE_SUBNET_TWO='fill_me_in'
VPC_ID='fill_me_in'
SLACK_WEBHOOK='fill_me_in'
# Ideall you should pull in your API key from a secrets management repo
DATADOG_API_KEY='fill_me_in'
python3 main.py \
--mode Create \
--subnets $PRIVATE_SUBNET_ONE $PRIVATE_SUBNET_TWO \
--vpcid $VPC_ID \
--falco True \
--falco_sidekick_destination_type Slack \
--falco_sidekick_destination $SLACK_WEBHOOK \
--datadog True \
--datadog_api_key $DATADOG_API_KEY
Two notable extras missing from here are installing the Microsoft Defender for Endpoint (MDE) EDR/XDR agent on the Nodes, as well as running the security assessment. As of the time of this writing, we do not support ad-hoc installation of MDE as we include it as part of the Nodegroup bootstrapping within your EC2 Launch Template, ensuring all future added nodes will have the Agent added. We consider a standalone plugin to use AWS Systems Manager Run Command or State Manager to apply the Agents but including them in a Launch Template is the best practice. Security Assessments are easy to run on their own, as we will review later. The following snippet is a modification to the above, this time including MDE installation arguments.
# Ensure you replace the values for empty environment variables below
PRIVATE_SUBNET_ONE='fill_me_in'
PRIVATE_SUBNET_TWO='fill_me_in'
VPC_ID='fill_me_in'
S3_BUCKET='fill_me_in'
SLACK_WEBHOOK='fill_me_in'
# Ideall you should pull in your API key from a secrets management repo
DATADOG_API_KEY='fill_me_in'
python3 main.py \
--mode Create \
--subnets $PRIVATE_SUBNET_ONE $PRIVATE_SUBNET_TWO \
--vpcid $VPC_ID \
--s3_bucket_name $S3_BUCKET \
--mde_on_nodes True \
--falco True \
--falco_sidekick_destination_type Slack \
--falco_sidekick_destination $SLACK_WEBHOOK \
--datadog True \
--datadog_api_key $DATADOG_API_KEY
Given the variety of arguments that we support, we could not use standard Argparse conventions such as using the “Required” flag in any of the argument configurations, given that not every mode will use every possible input. To implement conditional logic, we had to implement it ourselves, using what we called “preflight checks” that are invoked depending on the mode. Just like a normal preflight check that airline Captains, First Officers, and Flight Engineers would go through to plan their flight and takeoffs – we implemented rigorous checklists that will abort if not every condition is met. We did this to avoid orphaned resources being created or lengthy rollback periods being initiated, such as for the destruction and timeout period for Clusters and Nodegroups.
The following is a snippet from the end of our “main.py” file in which we define and parse the input arguments. It shows the various preflight function invocations using a very simplistic “if, elif, else” logic tree. It goes without saying that the snippet is massively truncated as well.
import sys
import re
import boto3
import botocore
import argparse
import subprocess
from art import text2art
import termcolor
from clint.textui import colored, puts
from EksCreationEngine import ClusterManager, UpdateManager, RollbackManager
from plugins.ECEDatadog import DatadogSetup
from plugins.ECEFalco import FalcoSetup
from plugins.ECESecurity import SecurityAssessment
#------
if __name__ == "__main__":
#------
args = parser.parse_args()
mode = args.mode
k8sVersion = args.k8s_version
#------
if mode == 'Create':
create_preflight_check()
elif mode == 'Destroy':
delete_preflight_check()
elif mode == 'Update':
update_preflight_check()
elif mode == 'Assessment':
assessment_preflight_check()
elif mode == 'SetupFalco':
setup_falco_preflight_check()
elif mode == 'RemoveFalco':
setup_falco_preflight_check()
elif mode == 'SetupDatadog':
setup_datadog_preflight_check()
elif mode == 'RemoveDatadog':
setup_datadog_preflight_check()
else:
print(f'Somehow you provided an unexpected arguement, exiting!')
sys.exit(2)
The “args = parser.parse_args()” variable is used to load all inputs into memory as their own individual variables, such as what we do with the mode. Since the optional plugins default to false, the only checks we need to perform are to ensure that the associated arguments (which default to a Python “None”) are present, aborting if the script if they’re not there. Outside of that, we must apply conditional checks that the naming conventions do not overlap, and that Subnets and a VPC is supplied for creation as shown in the snippet below.
def create_preflight_check():
#------
eks = boto3.client('eks')
# Conditional check to ensure that AMI ID (if provided) matches regex
amiId = args.ami_id
if amiId != 'SSM':
# AMI Regex
amiRegex = re.compile('^(?:(?:ami)(?:-[a-zA-Z0-9]+)?\b|(?:[0-9]{1,3}\.){3}[0-9]{1,3})(?:\s*,\s*(?:(?:ami)(?:-[a-zA-Z0-9]+)?\b|(?:[0-9]{1,3}\.){3}[0-9]{1,3}))*$')
# Attempt to match
amiRegexCheck = amiRegex.search(amiId)
if not amiRegexCheck:
print(f'Improperly AMI ID provided, does not match regex, check value and submit request again')
sys.exit(2)
# Check if an EKS Cluster exists for provided name
try:
eks.describe_cluster(
name=clusterName
)
except botocore.exceptions.ClientError as error:
# If we have an "ResourceNotFoundException" error it means the cluster doesnt exist - which is what we want
if error.response['Error']['Code'] == 'ResourceNotFoundException':
pass
else:
print(f'An EKS Cluster with the name {clusterName} already exists. Please specify another name and try again')
sys.exit(2)
# Check if an EKS Nodegroup exists for provided name
try:
eks.describe_nodegroup(
clusterName=clusterName,
nodegroupName=nodegroupName
)
except botocore.exceptions.ClientError as error:
# If we have an "ResourceNotFoundException" error it means the cluster/nodegroup doesnt exist - which is what we want
if error.response['Error']['Code'] == 'ResourceNotFoundException':
pass
else:
print(f'An EKS Nodegroup with the name {nodegroupName} already exists. Please specify another name and try again')
sys.exit(2)
# Check for a provided VPC
if vpcId == None:
print(f'VPC ID is required for cluster creation. Please specify a VPC ID and try again.')
sys.exit(2)
# Check for non-empty lists for Subnets
if args.subnets:
pass
else:
print(f'Subnets need to be specified for cluster creation')
sys.exit(2)
# Ensure a S3 Bucket was provided if MDE installation is true
if installMdeOnNodes == 'True':
if bucketName == None:
print(f'S3 Bucket name was not provided. Please provide a valid S3 Bucket and try again')
sys.exit(2)
# Ensure a Datadog API key is provided if Datadog installation is true
if datadogBool == 'True':
if datadogApiKey == None:
print(f'Datadog setup was specified but a Datadog API was not provided. Please provide a valid API key and try again.')
sys.exit(2)
# Call the `builder` function
ClusterManager.builder(
#------
)
The drawback of having to implement our own conditional logic is from a development feedback perspective, any additional Plugins that are developed, or arguments that are expanded must be “touched” multiple times. Creation is by far the most rigorous of the various preflight checks, with the others having similar logic applied but much shorter. Another drawback is that we must pass variables through the various Class functions in our core and Plugin libraries which are easy to get lost in. For instance, in the next snippet we show the end of the creation Class (“class ClusterManager()”) where we pickup the arguments that were passed to it from the preflight to determine if we need to run the Plugins, which require importing the Plugins and calling their own Classes separately.
import base64
import sys
import boto3
import botocore.exceptions
import json
from datetime import datetime
import time
import subprocess
import re
from plugins.ECEDatadog import DatadogSetup
from plugins.ECEFalco import FalcoSetup
cache = list()
class ClusterManager():
def builder(kubernetes_version, bucket_name, ebs_volume_size, ami_id, instance_type, cluster_name, cluster_role_name, nodegroup_name, nodegroup_role_name, launch_template_name, vpc_id, subnet_ids, node_count, mde_on_nodes, additional_ports, falco_bool, falco_sidekick_destination_type, falco_sidekick_destination, ami_os, ami_architecture, datadog_api_key, datadog_bool):
# ------
# Setup first time cluster connection with AWS CLI
updateKubeconfigCmd = f'aws eks update-kubeconfig --region {awsRegion} --name {cluster_name}'
updateKubeconfigProc = subprocess.run(updateKubeconfigCmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
print(updateKubeconfigProc.stdout.decode('utf-8'))
'''
Send a call into plugins.ECEFalco
'''
if falco_bool == 'True':
FalcoSetup.falco_initialization(
cluster_name=cluster_name,
falco_mode='Create',
falco_sidekick_destination_type=falco_sidekick_destination_type,
falco_sidekick_destination=falco_sidekick_destination,
datadog_api_key=datadog_api_key
)
'''
Send a call into plugins.ECEDatadog
'''
if datadog_bool == 'True':
DatadogSetup.initialization(
cluster_name=cluster_name,
datadog_mode='Create',
datadog_api_key=datadog_api_key
)
You can see that “ClusterManager.builder()” takes in many arguments only to use them in certain cases. It is not the most memory efficient, but will likely not be a problem outside of outside help. As of the time of this writing, we are working on improving documentation and our contributors guide. The previous snippets only demonstrate a small portion of the logic and command structure that goes into the backend of ECE. The work is necessary though, as we do it to ensure that all guesswork is taken out of creating a secure EKS Cluster and ancillary services.
As mentioned before, our documentation contains many scenarios and code snippets, and being open-source underneath the Apache-2.0 license means you can view the full code on GitHub, fork it into your own projects or contribute back. We absolutely love working with the community and know that there are much more skilled Python developers out there, so any tweaks for efficiency, readability, and related is just as valuable as expanded functionality. We are planning to support this project for many years ahead and want to make sure it is easy to use and does not cause any issues to end-users.
Conclusion
To wrap up, we wanted to share our plans for ECE, we promise that we won’t continue to try to convince you to use the tool. Our immediate plans are to expand the Plugin ecosystem and provide a developer guide as well as hosting the tool on the Python Package Index (PyPI). The Kubernetes ecosystem is incredibly rich and has everything from Static Analysis Security Testing (SAST), network policy, Policy as Code, ingress controllers, linters, machine learning workloads, cross-platform portability plugins and more available. We would love to include other popular tools such as Tigera’s Calico and AWS’ own extensibility such as AWS AppMesh, ALB Ingress Controllers, and Amazon Elastic MapReduce (EMR) on EKS as a few examples.
Other plans are to continue to improve what we already have based on our own use and community use. We want to continue to push the envelope with security, further reducing the blast radius and using the Panoptica Security Research team’s efforts to inform reduction of AWS IAM permissions and getting away from using AWS-managed policies if possible. We can even go as far as further reducing the Security Group permissibility and expanding that modularity. We also want to expand our list of tools that are supported in our Security Assessment module and offer integration with the Panoptica Platform’s own Kubernetes protection such as agentless Attack Path construction, graph-based analysis, and runtime protection integrations. And finally, bringing our Red Teamer Kubernetes tool, Red-Kube closer into this existing stack and providing our own Falco Custom Rules are all on the horizon.
We look forward to seeing the tool being used more and for any ideas and contributions from the community.
SIGN UP FREE
