Run CIS Scans on EKS AMIs

[nickumia-reisys]

Purpose

We want to scan our EC2 nodes against CIS metrics, but we're not sure how to do that.

Given the above question, conducting investigation/prototyping is needed to provide factual knowledge on future steps.

2 Days of effort has been allocated and once compete, findings will be demonstrated and specific future actions will be decided.

Acceptance Criteria

[ACs should be clearly demo-able/verifiable whenever possible. Try specifying them using BDD.]

• GIVEN a solution has been found to run CIS scans
  WHEN 2 Days expires
  THEN A proof-of-concept for how to run the CIS scans is demonstrated
  AND A path exists for adding that into the datagov-brokerpak-eks repo

Background

Discussion surrounding #3668 (comment)

Sketch

• Investigate new ways of running scans in SSM
• Cross-reference research with current SSM config in datagov-brokerpak-eks
• Implement/Test scan procedure

[hkdctol]

@nickumia-reisys will put in more context

[nickumia-reisys]

I am currently investigating if AWS Fargate will accomplish everything we need. If this is successful, we don't technically need to support managed nodes (and, by extension, the GSA ISE AMI). However, which path to take will depend on the decision of the team and the integration with other GSA Teams. The GSA ISE AMI provides centralized security tooling, which would be an overall win (assuming no performance issues with using the AMI).

See the following PR for details on Fargate support

• 🧟 Revive the Dead GSA-TTS/datagov-brokerpak-eks#112

[hkdctol]

@btylerburton will handle categorizing these