Security
Review Istio features that can increase the security of your service mesh, such as certificate management, authentication and authorization policies, and mutual TLS.
Certificate management
For an overview of the Istio certificate options that you can configure, see the Istio CA overview. You can then follow Bring your own Istio CAs with AWS to issue Istio intermediate CA certificates for your workload clusters by using AWS Private Certificate Authority (CA) and cert-manager, or follow the community Istio docs to self-generate certificates for demo purposes only.
Authentication
By default, Istio uses mutual TLS (mTLS) to secure communication between workloads in the service mesh. You can further configure the mTLS settings in your service mesh, such as enabling strict mTLS mode for all connections throughout the mesh or only for connections to and from individual workloads, by creating authentication policies. Additionally, you can leverage authentication policies to allow traffic requests only from authenticated end users that supply a valid token.
For more information about authentication in Istio, see the overview in the security concept. To get started, see the authentication guides.
Authorization
Configure access control for workloads in your mesh at the mesh, namespace, or workload level with Istio authorization policies. You can configure access control for end users and other workloads on HTTP or TCP traffic, require JWT tokens, integrate external authorization providers, and more by following the Istio authorization guides.