Skip to main content

CIS Amazon Elastic Kubernetes Service (EKS) 1.1.0 Benchmark

Lacework provides compliance policies based on CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0 (or CIS Amazon EKS 1.1.0 Benchmark for short).

Once you have integrated your Amazon EKS environment with Lacework, you can check whether your resources are compliant with the benchmark recommendations.

Visibility and Usage in the Lacework Console

You can use the CIS Amazon EKS 1.1.0 Benchmark in the following ways:

Prerequisites

Ensure you have integrated your Amazon EKS environment with the Lacework Compliance platform. Completing this will prepare your environment for the CIS Amazon 1.1.0 Benchmark:

CIS Amazon EKS 1.1.0 Benchmark Policies

All policies in the CIS Amazon EKS 1.1.0 Benchmark are enabled by default.

You can enable or disable them using one of the following methods outlined in this section.

Enable or Disable Policies through the Lacework Console

On the Policies page, use the framework:cis-eks-1-1-0 tag to filter for CIS Amazon EKS 1.1.0 policies only.

You can enable or disable each one using the status toggle.

Alternatively, see Batch Update Policies to enable or disable multiple policies at once.

note

Manual policies do not have a status toggle as there is no functional check to enable. For more information about manual policies, see Automated vs Manual Policies.

Bulk Enable or Disable CIS Amazon EKS 1.1.0 Policies through the Lacework CLI

tip

If you have not set up the Lacework CLI before, see the Lacework CLI guide to get started.

Enable or disable all the CIS Amazon EKS 1.1.0 policies using the following commands in the Lacework CLI:

Enable all policies
lacework policy enable --tag framework:cis-eks-1-1-0
Disable all policies
lacework policy disable --tag framework:cis-eks-1-1-0

Enable or disable specific CIS Amazon EKS 1.1.0 policies using the following command examples in the Lacework CLI:

Enable lacework-global-320
lacework policy enable lacework-global-320
Disable lacework-global-320
lacework policy disable lacework-global-320

Policy Mapping for CIS Amazon EKS 1.1.0

The CIS Amazon EKS 1.1.0 controls are mapped to Lacework global policies, as listed in the following tables.

Table key:

  • Control ID - The CIS Amazon EKS 1.1.0 Benchmark security control identifier.
  • Title - The policy/recommendation title.
  • Lacework Policy ID - The Lacework policy identifier.
  • CIS Assessment - Whether CIS have determined that the security control can be assessed automatically or if it requires manual verification.
  • Lacework Assessment - Whether Lacework have determined that the security control can be assessed automatically or if it requires manual verification.
  • Severity - The severity of the policy (as determined by Lacework).
Control IDTitleLacework Policy IDCIS AssessmentLacework AssessmentSeverity
2.1.1Enable audit Logslacework-global-315ManualAutomatedMedium

Automated vs Manual Policies

Lacework automates compliance policies where possible. This allows the Lacework platform to monitor your environment resources to check whether they are compliant with the benchmark recommendations.

For some benchmark recommendations, it is not possible to automate the policy checks in an AWS environment. These policies are manual, and you must verify such policies manually. Lacework provides the manual remediation steps for these policies (when available).

Automated Policies (that were deemed manual)

In some cases, Lacework is able to automate certain CIS benchmark controls that were deemed as manual by CIS.

The following table outlines the CIS Amazon EKS 1.1.0 Benchmark policies that fall within this category:

Click to expand
Control IDLacework Policy ID(s)Title
2.1.1lacework-global-315Enable audit Logs
3.1.1lacework-global-316Ensure that the kubeconfig file permissions are set to 644 or more restrictive
3.1.2lacework-global-317Ensure that the kubelet kubeconfig file ownership is set to root:root
3.1.3lacework-global-318Ensure that the kubelet configuration file has permissions set to 644 or more restrictive
3.1.4lacework-global-319Ensure that the kubelet configuration file ownership is set to root:root
3.2.3lacework-global-322Ensure that the --client-ca-file argument is set as appropriate
3.2.4lacework-global-323Ensure that the --read-only-port is secured
3.2.5lacework-global-324Ensure that the --streaming-connection-idle-timeout argument is not set to 0
3.2.8lacework-global-327Ensure that the --hostname-override argument is not set
3.2.10lacework-global-329Ensure that the --rotate-certificates argument is not set to false
3.2.11lacework-global-330Ensure that the RotateKubeletServerCertificate argument is set to true
4.1.1lacework-global-331Ensure that the cluster-admin role is only used where required
4.1.2lacework-global-332
lacework-global-662
Minimize access to secrets
4.1.3lacework-global-333
lacework-global-663
Minimize wildcard use in Roles and ClusterRoles
4.1.4lacework-global-334
lacework-global-664
Minimize access to create pods
4.1.5lacework-global-335
lacework-global-665
lacework-global-666
Ensure that default service accounts are not actively used
4.1.6lacework-global-336Ensure that Service Account Tokens are only mounted where necessary
4.2.8lacework-global-655Minimize the admission of containers with added capabilities
4.6.3lacework-global-352The default namespace should not be used
5.1.4lacework-global-356Minimize Container Registries to only those approved
5.3.1lacework-global-358Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS
5.4.1lacework-global-359Restrict Access to the Control Plane Endpoint
5.4.2lacework-global-360Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled

Manual Policies (that were deemed automated)

In some cases, Lacework cannot automate certain CIS benchmark controls that were deemed as automated by CIS.

This is often due to one of the following reasons:

  • Scope is defined by the user.
  • It requires configuring other products or API permissions that are out of scope.
  • Known issues for audit procedure described by the CIS control.

The following table outlines the CIS Amazon EKS 1.1.0 Benchmark policies that fall within this category:

Click to expand
Control IDLacework Policy IDTitle
3.2.9lacework-global-328Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture

Adjusted Controls

4.1.2 Minimize access to secrets

This control has been split into two different policies to monitor ClusterRoleBindings and RoleBindings separately.

The table below outlines each control and their new title:

Click to expand
Control IDLacework Policy IDTitle
4.1.2lacework-global-332Minimize access to secrets in ClusterRoleBindings.
4.1.2lacework-global-662Minimize access to secrets in RoleBindings.
note

The policy catalog only retains one entry for this control, which is lacework-global-332.

4.1.3 Minimize wildcard use in Roles and ClusterRoles

This control has been split into two different policies to monitor ClusterRoles and Roles separately.

The table below outlines each control and their new title:

Click to expand
Control IDLacework Policy IDTitle
4.1.3lacework-global-333Minimize wildcard use in ClusterRoles.
4.1.3lacework-global-663Minimize wildcard use in Roles.
note

The policy catalog only retains one entry for this control, which is lacework-global-333.

4.1.4 Minimize access to create pods

This control has been split into two different policies to monitor ClusterRoles and Roles separately.

The table below outlines each control and their new title:

Click to expand
Control IDLacework Policy IDTitle
4.1.4lacework-global-334Minimize access to create pods in ClusterRoles.
4.1.4lacework-global-664Minimize access to create pods in Roles.
note

The policy catalog only retains one entry for this control, which is lacework-global-334.

4.1.5 Ensure that default service accounts are not actively used

This control has been split into three different policies to monitor the following separately:

  1. Default service accounts in ClusterRoles.
  2. Default service accounts in Roles.
  3. Kubernetes API access tokens mounted on default service accounts.

The table below outlines each control and their new title:

Click to expand
Control IDLacework Policy IDTitle
4.1.5lacework-global-335Ensure that default service accounts are not actively used in ClusterRoles.
4.1.5lacework-global-665Ensure that default service accounts are not actively used in Roles.
4.1.5lacework-global-666Ensure that default service accounts are not automatically mounting their Kubernetes API access token.
note

The policy catalog only retains one entry for this control, which is lacework-global-335.

4.2.1 - 4.2.8 Pod Security Policies

The original CIS Amazon EKS 1.1.0 policies for Pod Security are now deprecated. To help provide effective coverage, Lacework has designed supplementary policies for the detection and remediation of pods that have been configured insecurely.

The following table lists the CIS policies (that are disabled by default) and the corresponding Lacework supplementary policies for Pod Security:

Click to expand
note

There is no supplementary policy for 4.2.9 as it is a manual control.

Excluded Resources during 4.2.1 - 4.2.8 Policy Assessments

The Lacework Agent and workloads in the kube-system namespace are excluded during these policy assessments.

The Lacework Agent requires privileged access in order to enable monitoring for workload security. The kube-system namespace is used by the Kubernetes system and requires significant permissions to function effectively.