Shared Responsibility Model - AWS EKS

Kubernetes is becoming the de-facto orchestrator for the container, steadily gaining both mindshare and market share. A lot of companies use Kubernetes managed service (Azure AKS, Google GKE, AWS EKS) and assume that the cloud providers will take care of security.

While they do take care of the control plane, the security of nodes, networking policies, and pod security is the customer’s responsibility, also called the shared responsibility model (AWS shared responsibility images below)

Fig. 1: Shared Security Model for AWS Managed Node Groups

Fig. 2: Shared Security Model for AWS EKS

As you move from self-managed to managed to Fargate they pick up more responsibility like offering k8s optimized node images, patching node OS, keep k8s up to date, and scaling worker nodes with the load.

The customer is always responsible for

• Network segmentation - network policies

• Pod security policies

• Application security

• Container Image and Data

There are other commercial distributions like Rancher which allow Kubernetes deployments to be cloud-agnostic. Most of these platforms are focused on speed and agility and it might be good to evaluate the shared responsibility model.

At Araali our goal is to make it easy for customers to take care of this shared responsibility matrix with few simple commands (demo).