CIS Amazon EKS 1.1.0 | Lacework Documentation

📄️ 2.1.1

Enable audit Logs (Automated)

📄️ 3.1.1

Set the kubeconfig file permissions to 644 or more restrictive (Automated)

📄️ 3.1.2

Set the kubelet kubeconfig file ownership to root:root (Automated)

📄️ 3.1.3

Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Automated)

📄️ 3.1.4

Set the kubelet configuration file ownership to root:root (Automated)

📄️ 3.2.1

Set the --anonymous-auth argument to false (Automated)

📄️ 3.2.2

Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)

📄️ 3.2.3

Set the --client-ca-file argument as appropriate (Automated)

📄️ 3.2.4

Secure the --read-only-port (Automated)

📄️ 3.2.5

Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Automated)

📄️ 3.2.6

Set the --protect-kernel-defaults argument to true (Automated)

📄️ 3.2.7

Set the --make-iptables-util-chains argument to true (Automated)

📄️ 3.2.8

Ensure that the --hostname-override argument is not set (Automated)

📄️ 3.2.9

Set the --eventRecordQPS argument to 0 or a level which ensures appropriate event capture (Manual)

📄️ 3.2.10

Ensure that the --rotate-certificates argument is not set to false (Automated)

📄️ 3.2.11

Set the RotateKubeletServerCertificate argument to true (Automated)

📄️ 3.3.1

Prefer using Container-Optimized OS when possible (Manual)

📄️ 4.1.1

Ensure that the cluster-admin role is only used where required (Automated)

📄️ 4.1.2

This rule also encompasses lacework-global-662. See Adjusted Rules for CIS Amazon EKS 1.1.0 for further details.

📄️ 4.1.3

This rule also encompasses lacework-global-663. See Adjusted Rules for CIS Amazon EKS 1.1.0 for further details.

📄️ 4.1.4

This rule also encompasses lacework-global-664. See Adjusted Rules for CIS Amazon EKS 1.1.0 for further details.

📄️ 4.1.5

This rule also encompasses lacework-global-665 and lacework-global-666. See Adjusted Rules for CIS Amazon EKS 1.1.0 for further details.

📄️ 4.1.6

Ensure that Service Account Tokens are only mounted where necessary (Automated)

📄️ 4.2.1

Minimize the execution of privileged container workloads (Automated)

📄️ 4.2.2

Minimize the execution of container workloads sharing the host process ID namespace (Automated)

📄️ 4.2.3

Minimize the execution of container workloads sharing the host Inter-Process Communication (IPC) namespace (Automated)

📄️ 4.2.4

Minimize the execution of container workloads sharing the host network namespace (Automated)

📄️ 4.2.5

Minimize the execution of container workloads that can escalate their privileges beyond those of their parent process (Automated)

📄️ 4.2.6

Minimize the execution of container workloads running as the root user (Automated)

📄️ 4.2.7

Minimize the execution of container workloads with the NET_RAW capability (Automated)

📄️ 4.2.8

Minimize the execution of container workloads with added capabilities (Automated)

📄️ 4.2.9

Minimize the admission of containers with capabilities assigned (Manual)

📄️ 4.3.1

Use latest Container Network Interface (CNI) version (Manual)

📄️ 4.3.2

Ensure that all Namespaces have Network Policies defined (Manual)

📄️ 4.4.1

Prefer using secrets as files over secrets as environment variables (Manual)

📄️ 4.4.2

Consider external secret storage (Manual)

📄️ 4.6.1

Create administrative boundaries between resources using namespaces (Manual)

📄️ 4.6.2

Apply Security Context to Your Pods and Containers (Manual)

📄️ 4.6.3

Do not use default namespace (Manual)

📄️ 5.1.1

Ensure Image Vulnerability Scanning using Amazon Elastic Container Registry (ECR) image scanning or a third party provider (Manual)

📄️ 5.1.2

Minimize user access to Amazon Elastic Container Registry (ECR) (Manual)

📄️ 5.1.3

Minimize cluster access to read-only for Amazon Elastic Container Registry (ECR) (Manual)

📄️ 5.1.4

Minimize Container Registries to only those approved (Automated)

📄️ 5.2.1

Prefer using managed identities for workloads (Manual)

📄️ 5.3.1

Encrypt Kubernetes Secrets using Customer Managed Keys (CMKs) managed in AWS Key Management Service (KMS) (Automated)

📄️ 5.4.1

Restrict Access to the Control Plane Endpoint (Automated)

📄️ 5.4.2

Create clusters with Private Endpoint Enabled and Public Access Disabled (Automated)

📄️ 5.4.3

Create clusters with Private Nodes (Manual)

📄️ 5.4.4

Enable Network Policy and set as appropriate (Manual)

📄️ 5.4.5

Encrypt traffic to HTTPS load balancers with Transport Layer Security (TLS) certificates (Manual)

📄️ 5.5.1

Manage Kubernetes Role-Based Access Control (RBAC) users with AWS Identity and Access Management (IAM) Authenticator for Kubernetes (Manual)

📄️ 5.6.1

Consider Fargate for running untrusted workloads (Manual)