EksCluster should not be publicly accessed
Allowing your EksCluster Public access leave you asset expose for attacks
Risk Level: Critical
Cloud Entity: EKS Cluster
CloudGuard Rule ID: D9.AWS.NET.71
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
EksCluster should not have resourcesVpcConfig.endpointPublicAccess=true or resourcesVpcConfig.endpointPrivateAccess=false
REMEDIATION
From Portal:
- Log in to the AWS Management Console.
- Open the Amazon EKS service.
- Choose the name of the cluster to display your cluster information.
- Under Networking, click 'Manage networking'.
- For Private access, choose 'Private'.
- Save the changes.
From TF:
resource "aws_eks_cluster" "example1" {
name = "example"
role_arn = "aws_iam_role.arn"
vpc_config {
subnet_ids = ["subnet_id"]
endpoint_public_access = False
}
}
From Command Line:
aws eks update-cluster-config --region region-code --name my-cluster --resources-vpc-config endpointPublicAccess=false,endpointPrivateAccess=true
References:
- https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#endpoint_public_access
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/eks/update-cluster-config.html
EKS Cluster
Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service that you can use to run Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes.
Compliance Frameworks
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO27001:2022
- AWS ITSG-33
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS Security Risk Management
- CloudGuard AWS All Rules Ruleset
- CloudGuard AWS Default Ruleset
Updated over 1 year ago