Skip to content

Provisioning a Secure EKS Environment in AWS

Discover how we successfully built a secure, scalable, and efficient EKS environment to support social token infrastructure by leveraging advanced AWS services and implementing strong security practices.

Let's Talk
computer-screen-with-padlock-that-says-lock-it

Client Overview

Roll is a pioneering platform in the creator economy, providing infrastructure and APIs for digital communities to create and integrate social tokens into financial systems and social platforms. Designed for creators and online communities, Roll empowers users to generate independent units of value and foster community interaction across the web.

roll-logo

Challenge

The client faced multiple challenges in setting up their EKS environment, including:

Complex Networking Components

Navigating the intricacies of VPCs, subnets, and security groups.

IAM Configuration

Properly configuring IAM roles and policies for the EKS cluster and worker nodes.

Robust Security Settings

Ensuring the EKS cluster had strong security settings, including security groups, network ACLs, and encryption.

Role-Based Access Control

Implementing Kubernetes Role-Based Access Control (RBAC) for effective permissions management.

Secrets Management

Managing sensitive data securely within Kubernetes.

Monitoring and Logging

Setting up comprehensive monitoring and logging solutions for the EKS cluster and its workloads.

AWS Service Integration

Integrating EKS with other AWS services such as RDS and S3.

CI/CD Pipelines

Establishing continuous integration and continuous deployment (CI/CD) pipelines for automated deployments to the EKS cluster.

Solution

To create a secure, scalable, and efficient EKS environment in AWS, we implemented a series of strategic measures. Here's how we approached the challenge:
  • To define and manage the infrastructure as code, the client used Terraform and Terragrunt:
We began by establishing a dedicated VPC for the EKS cluster, ensuring it was properly segmented into public and private subnets. To enhance endpoint security, we restricted access using security groups and VPC endpoint policies.

Secure connections were critical, so we integrated AWS Client VPN and AWS IAM Identity Center for safe access to private subnets. Adhering to the principle of least privilege, we meticulously crafted IAM roles and policies for both the EKS control plane and worker nodes. Security groups were configured with the minimum required access rules to ensure robust protection.

Granular permissions were achieved through Kubernetes Role-Based Access Control (RBAC), defining specific permissions for users, groups, and service accounts. Workloads were separated into different namespaces, each governed by appropriate RBAC rules. To secure sensitive data, we employed Hashicorp Vault alongside Kubernetes secrets.

For resource management, we implemented the Horizontal Pod Autoscaler (HPA) to scale pod replicas based on CPU usage. SSL certificates were managed with cert-manager, and NGINX served as the ingress controller, securely exposing the application to the Internet. Dynamic volume provisioning was handled by the EBS CSI driver, while IAM Roles for Service Accounts (IRSA) granted Kubernetes pods fine-grained permissions for accessing AWS services.
  • For enhanced observability:
We integrated a centralised solution for logging and monitoring, established alerting mechanisms to detect failures in critical services, and set up notification rules for immediate incident awareness via Slack channels.
  • To automate deployments:
Automating deployments was streamlined with the integration of GitHub Actions as our CI/CD tool. We created efficient workflows and custom actions to minimise duplication and ensure seamless deployments.

These comprehensive measures resulted in stable and secure networking for the EKS cluster, significantly reducing connectivity issues and enhancing overall reliability. Permissions for users and applications were meticulously managed to prevent overexposure, thereby boosting security and compliance. Well-configured security groups and network ACLs further mitigated the risk of unauthorized access and attacks.

Results

The client achieved significant improvements in their EKS environment:
021-security

Enhanced Stability and Security

Improved reliability and reduced connectivity issues through robust networking practices and secure configurations.

004-accessibility

Controlled Access and Permissions

Enhanced security and compliance by managing user and application permissions, and ensuring authorised access to cluster resources.

027-risk

Mitigated Unauthorised Access Risks

Reduced risks of unauthorised access and attacks with well-configured security groups and network ACLs.

023-data management

Secure Data Management

Lowered the risk of data breaches by securely managing sensitive data using advanced encryption and secrets management tools.

030-developer

Optimised Resource Allocation

Automatically adjusted resources based on workload demands, ensuring efficient and cost-effective operations.

010-monitor

Improved Observability and Deployment

Gained deep visibility into cluster performance for proactive maintenance, and accelerated deployment processes for consistent and reliable updates.

Technology Stack

To achieve these results, the following technologies and tools were utilised:
  • Cloud Computing: VPC, IAM, EKS, EBS, EC2, ECR, Client VPN, Transit Gateway, KMS, S3
  • Infrastructure as Code: Terraform, Terragrunt
  • CI/CD: Github Actions
  • Log Management, Monitoring, and Alerting: Datadog, Slack
  • Team Collaboration: Zenhub, Slack
  • Source Control: Github, Git
By leveraging this robust tech stack, Bion was able to achieve a secure, scalable, and efficient EKS environment, significantly enhancing their social token infrastructure and overall operational capabilities.
01