 As you move to the cloud, your focus is on developing and deploying your applications. You may leave some functions for later, thinking they will slow you down. So when challenges appear, your team feels unprepared. You need tools that are built for containers, Kubernetes, and the cloud so your team can build visibility and security together in a Secure DevOps workflow and ship applications faster. Secure DevOps on AWS is about bringing security and monitoring together throughout the application lifecycle from development through production. It embeds security and compliance, maximizes performance and availability, and manages security risks so you can confidently run in production. These five essential workflows will help you get results quickly. As the number of container images, versions, and builds supporting your applications on AWS grow, it can be hard to control and secure the software being used. Image scanning helps you block vulnerabilities before they reach production. This means scanning for vulnerable packages, leaked credentials, language-specific libraries, and much more. You can implement this important check across several points of the DevOps lifecycle, including your CI CD pipelines with tools like AWS code pipeline, as well as your registries like Amazon ECR. In production, you'll want to detect abnormal behavior which could indicate a security threat. Runtime security provides real-time visibility into your container environments on AWS and helps you alert on suspicious events in production across services like Amazon EKS, ECS, and Fargate. You need to pass compliance audits without slowing the release train. This means continuously validating compliance to understand your security posture. Auditing activity in a rapidly changing container environment can be a challenge. Key to ensuring compliance is the ability to keep track of file, network, and Kubernetes activity. The dynamic nature of container environments can lead to gaps in visibility. How do you monitor application made of containers distributed across cloud instances? You need deep insight into Kubernetes health, capacity, and performance. The ability to correlate metrics and events with cloud context will help identify where an issue lies and resolve problems quickly, all while being able to scale up to your needs. Key metrics like latency, errors, traffic, and saturation give you insight into the health and performance of your applications as experienced by users. Tapping into solutions like Prometheus, CloudWatch, and Cystig can help you efficiently monitor your AWS services and cloud-native applications and help you save time by showing you what really matters. Let's look at these five key workflows in action using Cystig with Amazon EKS to demonstrate how to take ownership of the most critical security and availability requirements in your container environment. As a SaaS platform, Cystig makes it easy to get started. With a single agent deployed per node in your EKS cluster, you get Kubernetes visibility and security insights in five minutes or less. Once installed, Cystig scans your container images, automatically discovers hundreds of applications, and connects with the Kubernetes API to add the context you need to analyze your container environment from any perspective. As you're developing your software, it's important to address security early in the lifecycle. As developers commit code and it makes its way through your CICD pipeline and into your registry, such as ECR, embedding scanning to detect vulnerabilities and misconfigurations will help you avoid running insecure code in production. Here inside Cystig Secure, you can see an example of a policy that enables detection of both OS and non-OS vulnerabilities. You can look for things like images set to run as root and embedded access keys or secrets. You can also scan third-party libraries. These are all important aspects to examine to assess the security of your container images. Having the ability to block builds if they don't meet your security and compliance guidelines is also key to automating security protection within your development practice. If you're a Fargate user, a feature unique to Cystig is the ability to trigger scans of images within ECR for Fargate tasks as they start to ensure the security of your containers running on the serverless platform. You'll also want to be able to scan your running images and set alerts for any new vulnerabilities that show up and identify which team owns the fix. Here, taking advantage of Kubernetes context from EKS, you can see, for instance, at a namespace level which are the vulnerable containers. If you're the service owner for the Sockshop Service, for example, you can see the images failing scanning policies and prioritize patching and deploying new containers to protect your business. As your container applications run in your AWS environment, another key DevOps workflow that helps you reduce risk is runtime security. Runtime security is designed to identify issues such as zero-day vulnerabilities, container drift, or other suspicious activity at runtime. To do this, Cystig takes advantage of Falco, the CNCF open-source runtime security project, providing out-of-the-box rules to detect a wide range of security issues. These rules analyze system calls and rich data sources such as the Kubernetes audit log and AWS cloud trail to automatically spot and alert you to anomalies, including things like unauthorized access and configuration changes so you can take action. Detections map to the Kubernetes control plane, container and host intrusion detection, compliance rules like PCI and NIST, file integrity monitoring, and security frameworks like Mitre Attack give you broad insight into a wide range of threats. Being able to understand these threats and to tie them back to specific containers, namespaces and Kubernetes is critical for anyone running production workloads. Here you can use contacts collected from Kubernetes and AWS to see that someone spawned a shell in a container running in the store front-end deployment. You can pre-configure policies to take action such as kill, stop or pause a container when a rule triggers. Cystic will capture an audit trail of the activity surrounding the event. This helps you see what happened during the session, including kubectl commands, network and file activity. You can see here, for instance, how someone exacted into a pod, spawned a shell, ran commands and tampered with files. Being able to validate compliance within your AWS container infrastructure is another key DevOps workflow. Cloud teams often struggle with mapping compliance controls to meet standards like PCI and NIST in their container and Kubernetes environments. Cystic has implemented compliance controls to simplify this task. Image scanning policies help you control compliance during build, runtime security policies to detect compliance issues and provide audit trails, and Cystic also enables automation of tools like Docker Bench and Kube Bench to check your infrastructure for conformance with CIS benchmarks. These benchmarks help you see how well you've configured your environment compared to established best practices and to see what's passing or failing. You'll be able to see issues with configuration across aspects like hosts, containers, runtime and orchestration, and guided remediation tips help you understand what you should do to achieve compliance. Unique to Cystic is the ability to monitor how your compliance posture is changing over time. You can see, for example, for the last 90 days what's consistently passing or failing. If you're going through an audit, you can use this information to show how you are improving over time within and across your AWS container environments. Visibility into dynamic containers in orchestrated environments is critical for ensuring the availability and performance of your services on AWS. Microservice-based applications can be distributed across multiple instances and start and stop quickly based on demand, making it hard to keep track. Monitoring the Kubernetes orchestration state in addition to containers is key to understanding if your service instances are up, running and delivering your expected quality of service. Here within Cystic, you have a number of views into the operational status of your container clusters and orchestration. The Cluster Overview page populates automatically with key data about the performance and health of each cluster along with associated event data. You can drill down to look at the namespaces to identify any problems. For instance, our example voting app namespace indicates a potential issue with CPU and memory use. You can even take a look at the workloads to see which are contributing to the issues that have surfaced so you know exactly where to focus your efforts. You can also drill further into details about your Kubernetes orchestrated environment with tailored dashboards. Here, the Kubernetes pod overview dashboard reflects the importance of key metrics about availability and restarts as well as the golden signals of saturation, errors, traffic and latency, all designed to help you see how the pods within a specific namespace or deployment are doing. This can also help you monitor capacity limits to identify pods consuming excessive resources and help you manage capacity allocation and utilization. In addition to key metrics for Amazon EKS you can also view details for AWS Fargate tasks to understand the state and performance of containers in a serverless environment. Your applications running in containers on AWS are in the end what matter most. Ensuring the health of the services that support your applications is key to maintaining expected service levels. Here, a number of useful metrics are available to help. Cystic provides deep insights into resource utilization and in addition taps into Prometheus metrics to give you views into your cloud native apps. Prometheus monitoring has become the de facto cloud native approach for emitting and collecting meaningful metrics with Kubernetes. Cystic monitor is fully compatible with Prometheus. What this means is that not only are Prometheus metrics collected and available to help you monitor your AWS container services, but Cystic also supports using PromQL, the Prometheus Query Language. PromQL enables you to create custom metric queries to calculate dashboard and alert on application and service metrics based on Prometheus. Cystic connects with CloudWatch and the Prometheus Exporter for CloudWatch to collect metrics for AWS services so you have visibility into all of the solutions that are key to your deployed applications. Cloud teams can monitor a wide range of AWS services including RDS, ALB, ELB, Lambda and S3. Let's look at an example of monitoring an app service. You can open a dashboard for RDS and get an understanding of the performance of the database serving your app. Here you can see key details of connections and resource usage across CPU, network and disk. These kind of details are useful for understanding the activity and performance with RDS, but also to help you know where you may need to make adjustments to the service and its allocated resources to deliver the best performance. One of the ways Cystic helps you quickly identify issues is not just providing metric views, but by also correlating events with metrics. Each of these markers above the metric graphs represents an event or group of events happening during this timeframe. This adds critical event context to your metric views. For example, you may see a metric spike and immediately see something like a container died event or perhaps that a new deploy just took place. By observing these two key pieces of information together, you can arrive at the when, where and what much more quickly than by looking at metrics alone. If you're adopting a DevOps approach to application delivery and using Kubernetes and containers on AWS to accelerate innovation, you can't compromise on security, compliance, performance and availability. You'll need to address a new set of complexities to make sure you don't slow down development. With the right tools, you can efficiently manage security risk and keep applications running smoothly. The five key workflows we discussed in this video enable you to manage the most critical security and availability requirements in your AWS container environment. As an AWS advanced technology partner, SysDig works with Amazon to deliver integrated services that embed security, compliance and monitoring into your DevOps workflows. Our focus is to help you ship cloud applications faster and get results quickly. Thank you for watching.