Decide on WAF Requirements/Strategy
Problem
ALBs have very limited capabilities to fend off attacks by themselves. Using Security Groups is not a scalable solution. The number of inbound/outbound rules is limited to a max of 120 (60 ea). To thwart any sort of Denial of Service (DoS) attack, more tools are required. Moreover, not all attacks are as easily identified as DoS attacks. Other threat vectors include SQL injection, XSS, etc. The older your applications, the more external dependencies you have, the greater the attack surface area.
Solution
Deploy a Web Application Firewall (WAF) capable of performing Layer-7 inspection and mitigation.
Our recommendation is to deploy the AWS WAF with the AWS Managed Rules for the https://owasp.org/www-project-top-ten/. https://aws.amazon.com/marketplace/solutions/security/waf-managed-rules
Considerations
-
ALB/NLB won’t provide TLS in-transit with nitro instances
-
AWS WAF only works with ALBs
-
We need to terminate TLS at the Kubernetes ingress layer (e.g. with cert-manager and ZeroSSL) in order to deliver end to end encryption
-
Cloudflare Argo tunnel will work without exposing the cluster endpoints directly to the internet
Our recommendation is to use AWS WAF with ALB load balancers, then use AWS Nitro instances for e2e encryption inside EKS, and self-signed certs between the ALB and the pods.