EksCluster should not be publicly accessed

Allowing your EksCluster Public access leave you asset expose for attacks

Risk Level: Critical
Cloud Entity: EKS Cluster
CloudGuard Rule ID: D9.AWS.NET.71
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

EksCluster should not have resourcesVpcConfig.endpointPublicAccess=true or resourcesVpcConfig.endpointPrivateAccess=false

REMEDIATION

From Portal:

  1. Log in to the AWS Management Console.
  2. Open the Amazon EKS service.
  3. Choose the name of the cluster to display your cluster information.
  4. Under Networking, click 'Manage networking'.
  5. For Private access, choose 'Private'.
  6. Save the changes.

From TF:

resource "aws_eks_cluster" "example1" {
	name     = "example"
	role_arn = "aws_iam_role.arn"
	
	vpc_config {
		subnet_ids = ["subnet_id"]
		
		endpoint_public_access = False
	}
}

From Command Line:

aws eks update-cluster-config --region region-code --name my-cluster --resources-vpc-config endpointPublicAccess=false,endpointPrivateAccess=true

References:

  1. https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#endpoint_public_access
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/eks/update-cluster-config.html

EKS Cluster

Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service that you can use to run Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset