Ensure security groups associated with EKS cluster do not have inbound rules with a scope of 0.0.0.0/0
Ensure that your Amazon EKS clusters' security groups allow inbound traffic only on TCP port 443 to protect against threats and meet compliance standards.
Risk Level: Medium
Cloud Entity: EKS Cluster
CloudGuard Rule ID: D9.AWS.NET.94
Covered by Spectral: No
Category: Compute
GSL LOGIC
EksCluster should not have resourcesVpcConfig.clusterSecurityGroup contain [ inboundRules contain [ scope = '0.0.0.0/0'] ] or resourcesVpcConfig.additionalSecurityGroups contain [ inboundRules contain [ port != 443 and scope = '0.0.0.0/0'] ]
REMEDIATION
From Portal
- Login to AWS Console.
- Navigate to EKS Clusters.
- Select the EKS Cluster.
- Click on the Networking tab.
- Open each Security Group.
- Remove the inbound rule with a scope of '0.0.0.0/0'
From Command Line
- Get the cluster security group:
aws eks describe-cluster --name <cluster_name> --query cluster.resourcesVpcConfig.clusterSecurityGroup
- Get the additional security groups:
aws eks describe-cluster --name <cluster_name> --query cluster.resourcesVpcConfig.securityGroupIds
- Get the security group inbound rules, for each security group id:
aws ec2 describe-security-groups --group-ids <security_group_id> --query 'SecurityGroups[*].IpPermissions'
- Remove the inbound rule with a scope of '0.0.0.0/0' from each security group:
aws ec2 revoke-security-group-ingress --group-id <security_group_id> --protocol <protocol> --port <port> --cidr 0.0.0.0/0
References
EKS Cluster
Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service that you can use to run Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS MITRE ATT&CK Framework v11.3
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago