RAPID CYBER AI
WEEK 6 OF 8
0 steps completed
WEEK 6

EKS & Cloud-Native Security

Production Kubernetes on AWS with full security controls

10-12 hours

Lab 1: EKS Cluster Provisioning

~90 min

Deploy EKS with Terraform

Private endpoint, encrypted secrets, managed nodes in private subnets.

EKS module
$ cat > eks.tf << 'EOF'
module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "~> 20.0"

  cluster_name    = "bootcamp-eks"
  cluster_version = "1.29"

  cluster_endpoint_public_access  = false
  cluster_endpoint_private_access = true

  cluster_encryption_config = {
    provider_key_arn = aws_kms_key.eks.arn
    resources        = ["secrets"]
  }

  vpc_id     = module.vpc.vpc_id
  subnet_ids = module.vpc.private_subnets

  eks_managed_node_groups = {
    secure = {
      min_size     = 2
      max_size     = 4
      desired_size = 2
      instance_types = ["t3.medium"]
    }
  }
}
EOF

$ terraform plan
$ terraform apply
WHY THIS MATTERS

EKS costs ~$0.10/hr for the control plane plus node costs. Budget ~$150/month for a 2-node lab cluster. Destroy when not actively labbing.

Lab 2: Service Mesh with mTLS

~90 min

Install Istio with strict mTLS

Automatic mutual TLS between all services. No service can impersonate another.

Istio
$ curl -L https://istio.io/downloadIstio | sh -
$ cd istio-*
$ export PATH=$PWD/bin:$PATH

$ istioctl install --set profile=default -y

# Enable strict mTLS mesh-wide
$ kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: STRICT
EOF

# Enable sidecar injection
$ kubectl label namespace bootcamp-app istio-injection=enabled

Lab 3: Secrets Management on EKS

~60 min

Install External Secrets Operator

Source of truth lives in AWS Secrets Manager. Automatic sync and rotation.

ESO
$ helm repo add external-secrets https://charts.external-secrets.io
$ helm install external-secrets external-secrets/external-secrets \
    -n external-secrets --create-namespace

# Create a secret in AWS Secrets Manager:
$ aws secretsmanager create-secret \
    --name bootcamp/db-password \
    --secret-string 'super-secure-password-here'

# ExternalSecret pulls it into K8s automatically

Lab 4: Pod Security & Resource Management

~60 min

Set up LimitRanges and ResourceQuotas

Prevents resource exhaustion and noisy-neighbor problems.

Resource governance
$ cat > limit-range.yaml << 'EOF'
apiVersion: v1
kind: LimitRange
metadata:
  name: default-limits
  namespace: bootcamp-app
spec:
  limits:
  - default:
      cpu: 500m
      memory: 256Mi
    defaultRequest:
      cpu: 100m
      memory: 128Mi
    type: Container
EOF

$ kubectl apply -f limit-range.yaml

$ cat > quota.yaml << 'EOF'
apiVersion: v1
kind: ResourceQuota
metadata:
  name: namespace-quota
  namespace: bootcamp-app
spec:
  hard:
    requests.cpu: "4"
    requests.memory: 4Gi
    limits.cpu: "8"
    limits.memory: 8Gi
    pods: "20"
EOF

$ kubectl apply -f quota.yaml

Lab 5: EKS Security Audit

~60 min

Run kube-bench CIS Benchmark

Checks your cluster against the CIS Kubernetes Benchmark. Target: 80%+ passing.

kube-bench
$ kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job-eks.yaml
$ kubectl wait --for=condition=Complete job/kube-bench --timeout=120s
$ kubectl logs job/kube-bench

Week 6 cleanup

Destroy the EKS cluster to stop charges. Keep the Terraform code.

Cleanup
$ terraform destroy
# Review and confirm — this deletes the EKS cluster and all resources
NEXT: WEEK 7 →