Skip to main content

lacework-global-371

Elastic Kubernetes Service (EKS) cluster endpoints should not be publicly accessible (Automated)

Description

This policy checks whether an Amazon EKS cluster endpoint is publicly accessible and fails if an EKS cluster has an endpoint that is publicly accessible.

When creating a new cluster, Amazon EKS creates an endpoint for the managed Kubernetes API server for communication with the cluster. By default, this API server endpoint is publicly available to the internet. A combination of AWS Identity and Access Management (IAM) and native Kubernetes Role-Based Access Control (RBAC) secures access to the API server. Avoid unintentional exposure and access to the cluster by removing public access to the endpoint.

Remediation

From the AWS console:

To block all public access:

  1. Log in to the AWS Management Console.
  2. Click Services.
  3. Select Containers > Elastic Kubernetes Service.
  4. Click the name of the cluster to update.
  5. Click the Networking tab.
  6. Click the Manage endpoint access button.
  7. Under Cluster endpoint access, select the Private radio button.
  8. Click Save changes.

Otherwise, if requiring public access, provide a single or limited list of Classless Inter-Domain Routing (CIDR) blocks:

  1. Log in to the AWS Management Console.
  2. Click Services.
  3. Select Containers > Elastic Kubernetes Service.
  4. Click the name of the cluster to update.
  5. Click the Networking tab.
  6. Click the Manage endpoint access button.
  7. Under Cluster endpoint access, select either the Public or Public and private radio button.
  8. Expand the Advanced settings.
  9. Provide a single or list of CIDR blocks to provide access, ensuring that the default 0.0.0.0/0 is not left set.
  10. Click Save changes.

From CLI:

To block all public access, set the parameter endpointPublicAccess to false:

aws eks update-cluster-config --region <region> --name <cluster_name> --resources-vpc-config endpointPublicAccess=false

Otherwise, if requiring public access, provide a single or limited list of CIDR blocks should, for example:

aws eks update-cluster-config --region <region> --name <cluster_name> --resources-vpc-config endpointPublicAccess=true,publicAccessCidrs="203.0.113.5/32",endpointPrivateAccess=true

References

https://docs.aws.amazon.com/securityhub/latest/userguide/eks-controls.html#eks-1
https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html#modify-endpoint-access
https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html

Last updated on