 All right, wonderful. So just a quick glimpse on what we're going to talk about. It's going to be about our open source, Cubama, which we recently completed the FDR, the functional technical review with AWS Marketplace. So we had to adhere to their compliance frameworks and we had to adhere the security benchmarks and hence after completing the entire evaluation, our open source project got listed on the Marketplace. So Chirag played a key role. Chirag represents Acunox as part of a solution engineer. He played a really key role in terms of managing the entire checklist tick marks in terms of FDR and he'll be explaining about what is Cubama number one and swiftly we'll delve into how the Acubama can be consumed from the AWS Marketplace. So Chirag, the floor is yours. Please take it forward. Yeah. Thank you, Sayed, for passing the baton. Let me just share my screen and let me know once it is visible, right? It is. It is. Okay, great. Okay, so as Sayed mentioned, we will be talking about how you can consume Cubama from AWS Marketplace. Since we have our presence there and it would be easier for you to maintain these licenses as well, right? So what I mean by licenses is licenses is so you might have multiple products from AWS Marketplace that you are consuming right now. And you want to maintain a list of all these products at a single place, right? So that is why it will be essential for you to use Cubama through the Marketplace itself. So you have those things mentioned at a single place, right? So that would be our topic about myself. So I am Chirag Goyal. I work as a solution engineer, as Sayed mentioned, and my key roles and responsibilities are related to pre-sales and on-boarding customers. I recently completed my certified Kubernetes Administrator. So I'm CTA certified, as well as I work closely with the core backend team that handles Cubama development processes and maintenance processes as well, right? So I am well aware of the product and I have a fair experience of using Cubama on my own as well, right? So that was about me. And yeah, so along with the, if you have any question along the presentation, you can always send them in chat. As I see the participants are of less number. So I'll be glad to answer your question in real time. So you can just raise your hand and I'll try to answer as well. So what is Cubama? So I think you guys are well aware of Cubama, since we had this webinar and all those in your place as well, like in NetApp. So I'll just explain it briefly. So what we do, what Cubama does. So it is a runtime security enforcement module. So what it actually does it is enforces security policies, right? And what these security policies can do is they can block, allow or audit certain events. And these events can be related to process executions, file system access, networking events as well. So all these three cases are something that we protect. And if you look at from the hackers perspective as well, so these are the three activities they leave traces, right? So what what an attacker would want is they would want to access some sensitive files, or they want to execute some virus or ransomware attack through a process, or they would want to do lateral movement within the system to gain a better access to all the events and all those resources, right? So these are the three key events that needs to get secured. And that is what Cubama is doing through enforcing these policies. So it is currently a CNCF sandbox project. So this is something that we developed from scratch and donated it to open source CNCF. What we aim to do with Cubama is we are aiming to have an extra layer of security that can even protect against zero-day attacks, right? So how what what are zero-day attacks? These are the attacks that doesn't have any kind of signature as of yet. They don't have an CVE associated with them. Therefore, once the attack has happened only then it can be remediated, right? So once we analyze some anomalous behavior, then we can remediate. So what Cubama will do in that sense is it can create a zero trust policy that will allow only the events necessary for your application to run and block everything else, right? So in that sense, your sensitive files or sensitive processes you can create a policy for and it can be protected right off the bat once the policy is applied. So even if the attacker is in the system, right, they won't be able to access those things. So this is the level of security that Cubama can enforce. So along with these zero trust policies that protect against zero-day attacks, there's also suit of policies that can harden your workload. So these policies are based on different frameworks, MITRE, MITREFITE or NIST and CIS framework and once you have applied these policies, you can be ensured that you are compliant with these security frameworks as well. So these would be the hardening policies that will further harden your workload and provide an extra layer of assurance that you are compliant with these security frameworks. So that would be what Cubama does as a whole. How it does it is in the back end, it is using EBPF and Linux security modules to enforce these policies in an inline mitigated fashion. So inline mitigation is another key factor for runtime security. It has been talked about in various guides from NSA to Gartner but there wasn't any real solution that can enforce it, right, without hampering any kind of workload or without any performance issues. So we, Cubama is actually tackling that through Linux security modules, right. So they place a hook on each and every kernel object and identify the kernel calls and if they are found not compliant, they will be blocked then and there and it will ensure that no event actually happens without the consent of those Cubama policy, right. So in other cases what happens is in post-attack mitigation case, the attacks happen, there are some abnormal behavior, some malicious behavior that gets detected by the tool and then it will either alert the user or kill, try to kill that process. But in the case of Cubama, it is inline mitigated so those events never actually happen, right. So that is the key factor and what Cubama can secure through this technology is cloud containers that would be the containerized workload in Kubernetes, ECS, EC2 instances or it could be any on-prem workload as well. So on-prem in the sense any general workload that is deployed as a process and you can even secure your host as part of the hardening policies and zero trust policies. So these are all the cases that we can secure. We are building towards IoT Edge and 5G networks. So you can go to 5gseq.com to understand about 5G networks, how we are securing that and IoT Edge is also something that we are looking into. Since all these places, we have a single control plane that can handle the processing and the networking and the file accesses. That's why Cubama is capable of getting into those control planes, identifying the actual workload and protecting it through these security policies. So that is the basic idea behind it and that is how it is providing the random security. So coming back to the agenda, so agenda of this call is to install Cubama through AWS Marketplace. So for doing that, we would require some prerequisites to do and the first and foremost prerequisites is to have a AWS Cloud account. So your subscription of Cubama will be associated with this cloud account and through the AWS Marketplace only, you can register it and you would need to create an IM role for the service account of this product. So for Cubama, you would create a service account and that will actually require an IM access. So IM service should be registered with your cloud account and the third is either you can have an EKS cluster or you can have any managed or unmanaged Kubernetes cluster from any other service that could be K3As created by K3As or Cubadm or unmanaged service like AKS or GKE. So all these Kubernetes clusters you can use to install Cubama and along with these prerequisites, we'll be using these tools and binaries to help us facilitate the installation. So AWS CLI is something that I will use to configure the EKS to use in my local system. So through AWS CLI, I'll be connecting to the EKS cluster and through Cubacutl command command line, I'll be able to access the pods and run operations for using the Kubernetes environment. So the EKS cluster I'll be using through Cubacutl command line and Helm is something that we'll be using for installation of the Cubama binaries. Helm actually helps us to create a single package for different versions of Cubama and maintain different packages. So that will allow us to have a consistent deployment of these of Cubama and also allow us to manage the versions as well. So Helm is the best option for any kind of installation in Kubernetes environment. And we'll be using EKS library to create a service account for our Cubama deployment so that it can actually download the containers from the given OCI registry or the container registry that we use. So these are all the tools and binaries that I'll be using and showcasing in the demo. Right, so on ahead with the subscription installation process. So it will be looking like this. I'll be going to the AWS marketplace. I'll be searching for Cubama and from scratch I'll be installing Cubama into my EKS cluster. So let's get to the actual demonstration and I'll be showing that. So let me just share my entire screen so you are able to see my console and all those things. So let's get on to the demo. So you can go to the AWS marketplace. You can directly search for Cubama. So we have Cubama listed on marketplace as such and we allow different kind of installations to take place. What we will be focusing is on the latest version of Cubama on our EKS cluster. So that would be our AWS managed cluster that we'll be using. So once you have done the subscription you can click on configuration button that will let you to choose what kind of fulfillment you want. Either you can have container-based fulfillment. What it means is the different containers for Cubama will be installed separately. But since we have a better option that is HelmChart where all the containers are packaged in one command in one single rule so that it is easier for you to install. So that this is the purpose of this fulfillment option and you make your life easier only. So you'll be using HelmChart. And after selecting your software version, so by default it will be selected to the latest one. If you are comfortable with an older version you can select that but it is best practice to select the latest only. And you can click on continue to launch. Now this will take you to the commands that are actually needed for the installation. So here I'll be switching to the console and what I have in the console is I have created my EKS cluster for Kubernetes version 1.27. You can have it created for 1.28, 1.26. So all these Kubernetes version we do support. And I'm accessing this cluster through my WSL command line. So here you can see this is the WSL command line that I'm using. And through this command AWS EKS update config, I have the cube config configured and I can directly run cubetal commands to access the cluster. So let me just do that. These are the default ports that are configured by AWS themselves so that we have all the Kubernetes related services pre-configured and we can directly use them. So along with this we will be installing Cubarmor. So we'll be just following the instructions that are present here to do that. So the first thing we need to do is create a namespace where the cubarmor binaries or cubarmor ports will be deployed. So let's do that. So I'll be using cubarmor namespace only to install it. You can give your own customized namespace as well. And the second step is to create an IAM service account. So if you closely watch here, all these fields are customizable. You can give your service account any name and you need to provide the namespace that you just created, the cluster name. So what is the cluster name that you're currently using? So this service account will be associated with this cluster. So EKS Cuttle is a library from AWS only and it allows you to create service account across your cluster. So that is what it will do and it will assume the role that you have mentioned here. So it will assume the cluster role that will provide. So this role ARN would be you can fetch from here, cluster IAM, cluster IAM role ARN and it will assume the cluster role and approving and overriding existing service account that allows us to, if there are some service account already created with the same name, we can override it with these configurations. So I have created a customized command for this so that the flow is easier. So this is the service account name I will be providing, cubarmor namespace I'll be using and the name of my cluster is cubarmor webinar. So you can also go back and see here that cubarmor webinar is the cluster name that I'll be using and this is the role attached to that cluster and now I'll just copy this command and paste in my CLI and it will create, it should create a service account. So what we need is IAM OIDC enabled for creating this account. So this is the library that it is internally used and this is something that we need to associate and they provide the command in the warning message as well. So we can just go ahead and copy this and we will approve this command and it will enable the IAM OIDC provider. So once this is created I can again give my service account creation command and it will create that service account. So again this service account is required to fetch the container images for our cubarmor deployments. So until and unless this is created your ports will always be in crash loop backoff or image pool error state. So once the service account is created we can go ahead and configure our registry. So we'll be fetching the containers container images from our OCR registry in ECR. So now we can go ahead and configure our login password for the ECR registry. So this would be the command. I'll just copy and paste. So most of the things you can just follow the on-screen instructions and it is fairly easy to install. Login succeeded that is the status message we required and now we'll create a directory to make our lives easier again. So the chart we fetch the library container images we'll fetch will be present in this chart and the next command will pull the actual helm repository and place it in this directory. So this will clear any kind of temporary files that were pulled from this particular command. So just give that for clean installation and finally we need to give this command to install cubarmor from the helm repository into the particular namespace that we provide. So what this is doing is since we are in the AWS MP chart it is parsing through all the files that are present here and the helm will handle the installation of that package. So we'll just need to wait this out and it will install. So the installation is done and now we can go ahead and see the status of the pods in the cubarmor namespace. So cubecutter gets pods minus in cubarmor. So the main pod is the demon set pod is in init state so it will install in a while right. So this will give you a brief idea about how the flow will look like and what are all the resources that need to be configured for installing cubarmor through AWS marketplace. Again what it allows you to do is it will associate the license from the AWS marketplace to your particular installation so that you can manage and use that license in future on any purpose or case. So this is the basic idea here. Going back to the presentation so this would be the right time to answer any kind of question that you may have. So did any questions come in the chat? I don't think so. Are any questions from any of the participants right now? Okay so these are some of the questions that are asked frequently like why use HymnChart to install cubarmor. So if you have already used cubarmor in the past you might know that we have used k8s manifest file to install cubarmor previously and why are we moving towards HymnChart now? So in most cases the karmor CLI is an add-on to what the user wants, what you might want and we are trying to eliminate that particular dependency so that you can just install the cubarmor related pods using HymnChart right. So it will package the current version of cubarmor into one file and it will allow you to manage those things by editing, deleting or updating through the HymnChart Hymn library alone right. So this becomes an easier way for you to manage the cubarmor versions and cubarmor entirely right. So this is why we are going towards HymnChart and why choose cubarmor security for Amazon managed Kubernetes service right. So cubarmor is a great tool for security first of all it allows you to monitor all the events that are happening at the runtime in your environment and it allows you to enforce security policy that will do inline mitigation of the attacks or violation of these policies right. So both of these features require a heavy tool in the performance if you go with any other tool but cubarmor does in a very lightweight fashion since it is using EBPF and LSM technologies to do that and this is why exactly why the cubarmor tool is differentiated in the open source and market as well. Why specifically Amazon managed Kubernetes here so we showcase this because if you are an AWS user and you are comfortable with using EKS and you want to manage different licenses of different products that you are currently using at a single place you can go ahead and subscribe to cubarmor from marketplace itself and you will be able to manage the release and all those things through a single button and a very simple flow of installation and upgradation as well right. So that is why we recommend if you are using EKS or ECS or Fargate you can go ahead and subscribe to cubarmor from marketplace and use from there and what could be a real world use case for cubarmor so how can it actually enhance the security. So as I said cubarmor is meant to protect against even zero day attacks so let's say log 4j happened right so nobody knew what kind of vulnerability it exploited and the sensitive files and all those things were exfiltrated and basically the damage was done in the system right so what cubarmor will do in that sense it can protect those sensitive files those ground jewels that you have in your environment and you do not you don't have to care about anyone getting into the system so it works in a zero trust fashion so even if the attacker is in the system or an unknown person in the system and they want to get these ground jewels and sensitive file cubarmor will actually deny them the access since we'll be creating a policy for those files to be accessed by certain processes only right so that that is what cubarmor is capable of and this would be a real world use case to be there for any other log file or log 6j right so yeah that would be all the questions so I think we have one question in chat so does cubarmor support EKS optimized AMI yes yes cubarmor support that and how it would be installed there is by container images only so it may not be a hand chart right now for EKS optimized AMI but we can do the installation can we push cubarmor so yes we can do that so the integration is completely possible through our relay server and we can configure it to push it to cloud watch or splunk and arseys log as well so these integrations are present in our github repository as well so you can go to cubarmor github and see all the integration and how you can do that all right so any other question or any follow-up question for these Abhishek thanks for asking right so it's been about 30 minutes right it was a superb demonstration Siddharth thank you so much and just about one or two minutes more for any further questions by the way these are the two pertinent links the first link says install cubarmor from the aws marketplace where we are actually accepted and listed and otherwise we have a detailed submissive document available so that you can actually follow that as well for your organizational purpose so we have a very very less crowd so Ram, Ajit, Kadam, Abhishek please feel free to ask any query you might be having so apart from open source vatals extra the software here is just that this is managed or or what other things are available apart from open source okay apart from open source Ram no no what additional things are being offered okay so um like why don't you explain from the cubarmor.io page itself like or maybe from the github page just pull the page up and let's let's walk Ram through the entire cubarmor offerings yeah definitely so like i'm trying to understand the question better so are you asking like apart from the cubarmor open source github is there some extra feature that we are providing in through aws marketplace is that your question yeah your subscription is right on our house okay so the subscription is completely free of cost so even if you don't have any kind of payment method enabled in your cloud account then also you can subscribe to cubarmor so it is just there to enable you to have a better way of managing that tool right so if you are using eks or a managed cloud service or eks anywhere so in that sense you can use aws marketplace to install cubarmor and maintain the versions and the license of cubarmor as well so that that is no doubt open source cubarmor is open source only and we are providing all the free open source features for cubarmor through aws marketplace yeah okay thank you thank you so much everyone for joining in spending time late in the evening post working us it was really nice to have you all and we look forward to do this on a regular basis then we'll keep you all posted thank you thank you Ram, Ajit, Kadam, Uddat, Ashok and everyone yeah thank you Chirag yeah thank you so much for joining and really appreciate your attendance in this webinar thank you