Runtime-Powered Cloud Security for Kubernetes on AWS EKS
This project focused on securing a containerized voting application deployed on AWS EKS using CNAPP platform. I built the full cloud-native environment, connected the AWS cloud account, installed the security agent on the Kubernetes cluster, deployed the voting application, and then implemented multiple security workflows across the software delivery lifecycle.
The goal was to demonstrate how security can be applied across container images, infrastructure-as-code, Kubernetes posture, compliance, runtime behavior, and incident investigation.
What I Built
AWS Cloud Account → EKS Cluster → Kubernetes Workloads → Security Agent → Runtime Security Visibility
1. Cloud & EKS Environment Setup
Set up the AWS environment with IAM access, billing guardrails, AWS CLI configuration, and region-specific deployment settings.
2. Kubernetes Cluster Creation
Created an AWS EKS cluster using eksctl and a YAML configuration file, including cluster, node group, networking, and IAM settings.
3. CNAPP Platform Integration
Connected a cloud-native security platform with AWS through the cloud onboarding flow
4. Security Agent Installation
Installed the security agent on the EKS cluster using Helm to collect Kubernetes, container, runtime, and security telemetry.
5. Voting App Deployment
Deployed the containerized voting application on AWS EKS using Kubernetes manifests, created a dedicated namespace, and exposed the application UI through a load balancer.
6. End-to-End Security Workflow
Enabled security visibility from AWS infrastructure to Kubernetes runtime behavior.
Security Workflows Implemented
1. Container Image Vulnerability Scanning
Ran container image scans to identify vulnerabilities across the application stack.
What I learned:
I learned how to prioritize risk instead of treating every vulnerability equally. The most important findings are the ones that are critical, fixable, exploitable, exposed, and tied to components actually running in the environment.
Impact:
Helped identify and prioritize high-risk vulnerabilities before deployment.
2. CI/CD Security Scanning with GitHub Actions
Configured a GitHub Actions workflow to automatically build and scan container images during the development process.
What I learned:
Security scanning in CI/CD helps catch issues before they reach the Kubernetes cluster and supports a DevOps / DevSecOps workflow.
Impact:
Added security checks earlier in the software delivery lifecycle.
3. Infrastructure-as-Code Security
Integrated IaC scanning with the GitHub repository to detect Kubernetes configuration risks directly from source code.
What I learned:
Many cloud security issues come from configuration mistakes, not only application code. Scanning Kubernetes manifests before deployment helps reduce misconfiguration risk early.
Impact:
Helped identify Kubernetes misconfigurations and exposure risks before they reach the cluster.
4. Compliance and Remediation
Configured Kubernetes posture and compliance checks using cloud security policies and compliance benchmarks. Reviewed the identified issues, understood the compliance gaps, and took remediation steps by generating GitHub pull requests.
What I learned:
I learned how compliance checks help identify Kubernetes security gaps and how remediation steps turn those findings into actionable fixes. This helped me understand the full flow from detecting a compliance issue to applying a practical fix through source control.
Impact:
Helped validate the Kubernetes setup against security standards and apply remediation through source control.
5. Runtime Threat Detection
Simulated suspicious container activity by opening a shell inside a running container and running basic system exploration commands. The runtime security platform detected the behavior, generated an alert, and provided investigation details and possible remediation actions.
What I learned:
I learned how runtime detection helps identify suspicious activity that may only appear after an application is running. This helped me understand the difference between static security checks, which show potential risk, and runtime security, which shows what is actually happening inside the environment.
Impact:
Helped detect suspicious runtime behavior and support faster investigation and response.
6. Activity Audit and Investigation
Used activity audit data to review command-level evidence, user context, timestamps, process details, and file activity inside the container.
What I learned:
Activity audit helps turn a runtime alert into a clear investigation trail by showing who did what, when, where, and how. This is important for incident response, compliance evidence, and customer trust.
Impact:
Provided command-level evidence for incident investigation and audit reporting.
Key Skills
🌐 Cloud & Infrastructure
AWS, AWS EKS, IAM, Load Balancer, Kubernetes, Containers
🛡️ Security
Cloud Security, Cybersecurity, CNAPP, Runtime Security, Vulnerability Management, IaC Security, CI/CD Security, Compliance, Security Remediation, Incident Investigation
⚙️ DevOps
DevOps, GitHub Actions, Infrastructure-as-Code
🖥️ Systems & Tools
Linux, CLI, YAML, Helm, kubectl
Key Learnings
Risk-Based Security Prioritization
Security findings should not be treated equally. The highest priority issues are the ones that combine severity, fixability, exploitability, exposure, and runtime usage.
CI/CD Security Integration + Runtime Security
Security works best across the full lifecycle: CI/CD scanning helps catch issues before deployment, while runtime detection shows what is actually happening after the application is running.
Kubernetes Security Posture
Kubernetes security depends heavily on configuration, workload settings, access controls, and compliance posture, not just application code.
Remediation Through Source Control
Security findings become more actionable when remediation steps can be converted into pull requests and fixed directly in infrastructure code.
Investigation-Ready Security Visibility
Runtime alerts become more useful when supported by command-level evidence, user context, timestamps, process details, and file activity.