This page explains how to configure the Kubernetes Security Posture Management (KSPM) integration.

• The KSPM integration is available to all Elastic Cloud users. For on-prem deployments, it requires anappropriate subscription level.

• The KSPM integration only works in theDefault Kibana space. Installing the KSPM integration on a different Kibana space will not work.

• KSPM is not supported on EKS clusters in AWS GovCloud.Click here to request support.

• To view posture data, ensure you have theread privilege for the following Elasticsearch indices:

  • logs-cloud_security_posture.findings_latest-*
  • logs-cloud_security_posture.scores-*
  • logs-cloud_security_posture.findings

The instructions differ depending on whether you’re installing on EKS or on unmanaged clusters.

• Install on EKS-managed clusters:

  1. Name your integration and select a Kubernetes deployment type
  2. Authenticate to AWS
  3. Finish configuring the KSPM integration
  4. Deploy the DaemonSet to your clusters

• Install on unmanaged clusters:

  1. Configure the KSPM integration
  2. Deploy the DaemonSet manifest to your clusters

1. Navigate to theIntegrations page using the navigation menu or theglobal search field.
2. Search forkspm, and select the integration. ClickAdd Kubernetes Security Posture Management (KSPM).
3. UnderConfigure integration, selectEKS. A new section calledSetup Access appears.
4. Name your integration and add a description. Use a name that matches the purpose or team of the cluster(s) you want to monitor, for example,IT-dev-k8s-clusters.
5. (Optional) underAdvanced options, you can add aNamespace to the integration's data stream.

There are several options for how to provide AWS credentials:

• Use Kubernetes Service Account to assume IAM role
• Use default instance role
• Use access keys directly
• Use temporary security credentials
• Use a shared credentials file
• Use an IAM role ARN

Regardless of which option you use, you’ll need to grant the following permissions:

ecr:GetRegistryPolicy,eks:ListTagsForResourceelasticloadbalancing:DescribeTagsecr-public:DescribeRegistriesecr:DescribeRegistryelasticloadbalancing:DescribeLoadBalancerPolicyTypesecr:ListImagesecr-public:GetRepositoryPolicyelasticloadbalancing:DescribeLoadBalancerAttributeselasticloadbalancing:DescribeLoadBalancersecr-public:DescribeRepositorieseks:DescribeNodegroupecr:DescribeImageselasticloadbalancing:DescribeLoadBalancerPoliciesecr:DescribeRepositorieseks:DescribeClustereks:ListClusterselasticloadbalancing:DescribeInstanceHealthecr:GetRepositoryPolicy

If you are using the AWS visual editor to create and modify your IAM Policies, you can copy and paste this IAM policy JSON object:

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "VisualEditor0",            "Effect": "Allow",            "Action": [                "ecr:GetRegistryPolicy",                "eks:ListTagsForResource",                "elasticloadbalancing:DescribeTags",                "ecr-public:DescribeRegistries",                "ecr:DescribeRegistry",                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",                "ecr:ListImages",                "ecr-public:GetRepositoryPolicy",                "elasticloadbalancing:DescribeLoadBalancerAttributes",                "elasticloadbalancing:DescribeLoadBalancers",                "ecr-public:DescribeRepositories",                "eks:DescribeNodegroup",                "ecr:DescribeImages",                "elasticloadbalancing:DescribeLoadBalancerPolicies",                "ecr:DescribeRepositories",                "eks:DescribeCluster",                "eks:ListClusters",                "elasticloadbalancing:DescribeInstanceHealth",                "ecr:GetRepositoryPolicy"            ],            "Resource": "*"        }    ]}

Follow AWS’sEKS Best Practices documentation to use theIAM Role to Kubernetes Service-Account (IRSA) feature to get temporary credentials and scoped permissions.

Follow AWS’sIAM roles for Amazon EC2 documentation to create an IAM role using the IAM console, which automatically generates an instance profile.

Access keys are long-term credentials for an IAM user or AWS account root user. To use access keys as credentials, you must provide theAccess key ID and theSecret Access Key.

For more details, refer to AWS'Access Keys and Secret Access Keys documentation.

You can configure temporary security credentials in AWS to last for a specified duration. They consist of an access key ID, a secret access key, and a security token, which is typically found usingGetSessionToken.

Because temporary security credentials are short term, once they expire, you will need to generate new ones and manually update the integration’s configuration to continue collecting cloud posture data. Update the credentials before they expire to avoid data loss.

You can use the AWS CLI to generate temporary credentials. For example, you could use the following command if you have MFA enabled:

`sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email@example.com --duration-seconds 129600 --token-code 123456`

The output from this command includes the following fields, which you should provide when configuring the KSPM integration:

• Access key ID: The first part of the access key.
• Secret Access Key: The second part of the access key.
• Session Token: A token required when using temporary security credentials.

If you use different AWS credentials for different tools or applications, you can use profiles to define multiple access keys in the same configuration file. For more details, refer to AWS'Shared Credentials Files documentation.

Instead of providing theAccess key ID andSecret Access Key to the integration, provide the information required to locate the access keys within the shared credentials file:

• Credential Profile Name: The profile name in the shared credentials file.
• Shared Credential File: The directory of the shared credentials file.

If you don’t provide values for all configuration fields, the integration will use these defaults:

• IfAccess key ID,Secret Access Key, andARN Role are not provided, then the integration will check forCredential Profile Name.
• If there is noCredential Profile Name, the default profile will be used.
• IfShared Credential File is empty, the default directory will be used.
• For Linux or Unix, the shared credentials file is located at~/.aws/credentials.

An IAM role Amazon Resource Name (ARN) is an IAM identity that you can create in your AWS account. You define the role’s permissions. Roles do not have standard long-term credentials such as passwords or access keys. Instead, when you assume a role, it provides temporary security credentials for your session. An IAM role’s ARN can be used to specify which AWS IAM role to use to generate temporary credentials.

For more details, refer to AWS'AssumeRole API documentation. Follow AWS' instructions tocreate an IAM user, and define the IAM role’s permissions using the JSON permissions policy above.

To use an IAM role’s ARN, you need to provide either acredential profile oraccess keys along with theARN role. TheARN Role value specifies which AWS IAM role to use for generating temporary credentials.

Once you’ve provided AWS credentials, finish configuring the KSPM integration:

1. If you want to monitor Kubernetes clusters that aren’t yet enrolled in Fleet, selectNew Hosts under “where to add this integration”.
2. Name the Elastic Agent policy. Use a name that matches the purpose or team of the cluster(s) you want to monitor. For example,IT-dev-k8s-clusters.
3. ClickSave and continue, thenAdd agent to your hosts. TheAdd agent wizard appears and provides a DaemonSet manifest.yaml file with pre-populated configuration information, such as theFleet ID andFleet URL.

TheAdd agent wizard helps you deploy the KSPM integration on the Kubernetes clusters you wish to monitor. For each cluster:

1. Download the manifest and make any necessary revisions to its configuration to suit the needs of your environment.
2. Apply the manifest using thekubectl apply -f command. For example:kubectl apply -f elastic-agent-managed-kubernetes.yaml

After a few minutes, a message confirming the Elastic Agent enrollment appears, followed by a message confirming that data is incoming. You can then clickView assets to see where the newly-collected configuration information appears throughout Kibana, including theFindings page and theCloud Security Posture dashboard.

Follow these steps to deploy the KSPM integration to unmanaged clusters. Keep in mind credentials are NOT required for unmanaged deployments.

To install the integration on unmanaged clusters:

1. Navigate to theIntegrations page using the navigation menu or theglobal search field.
2. Search forkspm, and select the integration. ClickAdd Kubernetes Security Posture Management (KSPM).
3. UnderConfigure integration, selectSelf-Managed.
4. Name your integration and add a description. Use a name that matches the purpose or team of the cluster(s) you want to monitor, for example,IT-dev-k8s-clusters.
5. (Optional) underAdvanced options, you can add aNamespace to the integration's data stream.

6. Select the Elastic Agent policy where you want to add the integration.
7. ClickSave and continue, thenAdd agent to your hosts. TheAdd agent wizard appears and provides a DaemonSet manifest.yaml file with pre-populated configuration information, such as theFleet ID andFleet URL.

×