Run CIS Scans on EKS AMIs

nickumia-reisys commented 2 years ago

Purpose

We want to scan our EC2 nodes against CIS metrics, but we're not sure how to do that.

Given the above question, conducting investigation/prototyping is needed to provide factual knowledge on future steps.

2 Days of effort has been allocated and once compete, findings will be demonstrated and specific future actions will be decided.

Acceptance Criteria

[ACs should be clearly demo-able/verifiable whenever possible. Try specifying them using BDD.]

[ ] GIVEN a solution has been found to run CIS scans \ WHEN 2 Days expires\ THEN A proof-of-concept for how to run the CIS scans is demonstrated \ AND A path exists for adding that into the datagov-brokerpak-eks repo

Background

Discussion surrounding https://github.com/GSA/data.gov/issues/3668#issuecomment-1081955299

Sketch

[ ] Investigate new ways of running scans in SSM
[ ] Cross-reference research with current SSM config in datagov-brokerpak-eks
[ ] Implement/Test scan procedure

hkdctol commented 1 year ago

@nickumia-reisys will put in more context

nickumia-reisys commented 1 year ago

I am currently investigating if AWS Fargate will accomplish everything we need. If this is successful, we don't technically need to support managed nodes (and, by extension, the GSA ISE AMI). However, which path to take will depend on the decision of the team and the integration with other GSA Teams. The GSA ISE AMI provides centralized security tooling, which would be an overall win (assuming no performance issues with using the AMI).

See the following PR for details on Fargate support

https://github.com/GSA-TTS/datagov-brokerpak-eks/pull/112

hkdctol commented 1 year ago

@btylerburton will handle categorizing these

GSA / data.gov