DEVELOPER PREVIEW - This is a preview release and not intended for production use.

This Quick Start was created by Snyk in collaboration with Amazon Web Services (AWS). AWS Quick Starts are automated reference deployments that use AWS CloudFormation templates to deploy key technologies on AWS, following AWS best practices.

Snyk controller for Amazon EKS enables you to import and test your running EKS workloads and identify vulnerabilities in their associated images and configurations that might make those workloads less secure. Once imported, Snyk continues to monitor those workloads, identifying additional security issues as new images are deployed and the workload configuration changes.

This Quick Start reference deployment guide provides step-by-step instructions for deploying Snyk on Amazon EKS.

Please know that we may share who uses AWS Quick Starts with the AWS Partner Network (APN) Partner that collaborated with AWS on the content of the Quick Start.

Developers, DevOps, Security teams, or any role within an organization building, deploying and maintaining applications on Amazon EKS.

Deploying this Quick Start with default parameters into an existing Amazon EKS cluster builds the following environment. For a diagram of the new VPC and new EKS cluster deployment options, see the Amazon EKS Quick Start documentation.

Figure 1: Quick Start architecture for Snyk on Amazon EKS

As shown in Figure 1, the Quick Start sets up the following:

• Kubernetes namespace for Snyk
• Kubernetes secret containing Skyk integration ID and docker config json.
• Snyk monitor pod

You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings may affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you will use. Prices are subject to change.

Tip: We recommend that you enable the AWS Cost and Usage Report. This report delivers billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. It provides cost estimates based on usage throughout each month and finalizes the data at the end of the month. For more information about the report, see the AWS documentation.

This Quick Start requires a license for Snyk, the license costs and the instructions to obtain a license are available here.

This Quick Start assumes familiarity with Amazon EKS, AWS CloudFormation and Kubernetes.

If you don’t already have an AWS account, create one at https://aws.amazon.com by following the on-screen instructions.

If you are deploying onto an existing EKS cluster that was not created by the Amazon EKS Quick Start, you will need to configure the cluster to allow this Quick Start to manage your EKS cluster. The requirements are detailed in Step 2 of the Deployment steps section of this document.

This Quick Start provides three deployment options:

• Deploy Snyk into a new VPC (end-to-end deployment). This option builds a new AWS environment consisting of the VPC, subnets, NAT gateways, security groups, bastion hosts, EKS cluster, a node group, and other infrastructure components. It then deploys Snyk into this new EKS cluster.
• Deploy Snyk into a new EKS cluster in an existing VPC. This option builds a new AWS EKS cluster, a node group, and other infrastructure components into an existing VPC. It then deploys Snyk into this new EKS cluster.
• Deploy Snyk into an existing EKS cluster. This option provisions Snyk in your existing AWS infrastructure.

1. Sign in to your AWS account at https://aws.amazon.com with an IAM user role that has the necessary permissions. For details, see Planning the deployment earlier in this guide.
2. Make sure that your AWS account is configured correctly, as discussed in the Technical requirements section.

Note: This step is only required if you are launching this Quick Start into an existing EKS cluster that was not created using the Amazon EKS Quick Start. If you would like to create a new EKS cluster with your deployment, skip to step 3.

1. Sign in to your AWS account, and launch the cluster preparation template.
2. The template is launched in the Ohio (us-east-2) AWS Region by default. To change the Region choose another Region from list in the upper-right corner of the navigation bar.
3. On the Create stack page, keep the default setting for the template URL, and then choose Next.
4. On the Specify stack details page, change the stack name if needed. Enter the name of the EKS cluster you would like to deploy to, as well as the Subnet ID's and security group ID associated with the cluster. These can be obtained from the EKS Cluster console.
5. On the options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you’re done, choose Next.
6. On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and might require the ability to automatically expand macros.
7. Choose Create stack to deploy the stack.
8. Monitor the status of the stack until the status reaches CREATE_COMPLETE.
9. From the Outputs section of the stack, note the KubernetesRoleArn and the HelmRoleArn.
10. Add the roles to the aws-auth config map in your cluster, specifying system:masters for the groups, by following the steps in the EKS documentation. This allows the Quick Start to manage your cluster via AWS CloudFormation.

1. Now, log in to your Snyk account and navigate to Integrations.
2. Search for and click Kubernetes.
3. Click Connect from the page that loads, copy the Integration ID. The Snyk Integration ID is a UUID, similar to this format: abcd1234-abcd-1234-abcd-1234abcd1234. Save it for use in the next step.

Note: You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using this Quick Start. For full details, see the pricing pages for each AWS service used by this Quick Start. Prices are subject to change.

1. Sign in to your AWS account, and choose one of the following options to launch the AWS CloudFormation template. For help with choosing an option, see deployment options earlier in this guide.

Deploy into a new VPC and new EKS cluster	Deploy into a new EKS cluster in an existing VPC	Deploy into an existing EKS cluster

Each new cluster deployments takes about 2 hours to complete. Existing cluster deployments take around 10 minutes.

2. The template is launched in the Ohio (us-east-2) AWS Region by default. To change the Region choose another Region from list in the upper-right corner of the navigation bar.
3. On the Create stack page, keep the default setting for the template URL, and then choose Next.
4. On the Specify stack details page, change the stack name if needed. Review the parameters for the template, a reference is provided in the Parameters section of this document. Enter the ID obtained in Step 3 into the parameter labelled Snyk integration ID. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. When you finish reviewing and customizing the parameters, choose Next.
5. On the options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you’re done, choose Next.
6. On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and might require the ability to automatically expand macros.
7. Choose Create stack to deploy the stack.
8. Monitor the status of the stack. When the status is CREATE_COMPLETE, the Snyk cluster is ready.

1. Configure kubectll command line utility to connect to your EKS cluster, as per the EKS documentation
2. Run kubectl get namespaces and verify that a namespace snyk-monitor displays with STATUS Active.
3. Run kubectl get pods --namespace snyk-monitor and verify that a pod with the prefix snyk-monitor displays with STATUS Running.
4. From the Snyk console, verify that your cluster appears and you are able to add workloads as described in the Snyk documentation

In the following table, parameters are described for the existing EKS cluster option. For parameters in the other deployment options see the EKS Quick Start documentation:

• Parameters for deploying new VPC and new EKS cluster
• Parameters for deploying EKS cluster into an existing VPC

The Snyk Kubernetes integration will monitor workloads and provide details on potential vulnerabilities in container images as well as security configuration for your deployments. It is recommended that Kubernetes manifests adhere to the workload configuration properties defined in the Snyk documentation

Snyk will alert for common misconfigurations include not setting CPU/Memory limits for your application as well as running containers as the root user. Another common misconfiguration is leaving the default file system mounted for the container as writable. This may lead to a potential exposure for an attacker who compromises the container and writes to the disk, which makes certain kinds of attacks easier. If your containers are stateless then you don’t need a writable filesystem. Lastly, not defining capabilities. At a low-level, Linux capabilities control what different processes in the container are allowed to do: from being able to write to the disk, to being able to communicate over the network.

Q. I encountered a CREATE_FAILED error when I launched the Quick Start.

A. If AWS CloudFormation fails to create the stack, we recommend that you relaunch the template with Rollback on failure set to No. (This setting is under Advanced in the AWS CloudFormation console, Options page.) With this setting, the stack’s state is retained and the instance is left running, so you can troubleshoot the issue.

Important: When you set Rollback on failure to No, you continue to incur AWS charges for this stack. Please make sure to delete the stack when you finish troubleshooting.

For general EKS troubleshooting steps see the EKS Quick Start documentation.

For Snyk specific troubleshooting see Snyk troubleshooting documentation.

For additional information, see Troubleshooting AWS CloudFormation on the AWS website.

To post feedback, submit feature ideas, or report bugs, use the Issues section of the GitHub repository for this Quick Start. If you’d like to submit code, please review the Quick Start Contributor’s Guide.

• Getting Started Resource Center
• AWS General Reference
• AWS Glossary

• AWS CloudFormation
• Amazon EKS
• IAM
• Amazon VPC

• Snyk Kubernetes integration

• AWS Container Quick Start home page
• AWS Quick Start home page