Ensure security groups associated with EKS cluster do not have inbound rules with a scope of 0.0.0.0/0

Ensure that your Amazon EKS clusters' security groups allow inbound traffic only on TCP port 443 to protect against threats and meet compliance standards.

Suggest Edits

Risk Level: Medium
Cloud Entity: EKS Cluster
CloudGuard Rule ID: D9.AWS.NET.94
Covered by Spectral: No
Category: Compute

GSL LOGIC

EksCluster should not have resourcesVpcConfig.clusterSecurityGroup contain [ inboundRules contain [ scope = '0.0.0.0/0'] ] or resourcesVpcConfig.additionalSecurityGroups contain [ inboundRules contain [ port != 443 and scope = '0.0.0.0/0'] ]

REMEDIATION

From Portal

  1. Login to AWS Console.
  2. Navigate to EKS Clusters.
  3. Select the EKS Cluster.
  4. Click on the Networking tab.
  5. Open each Security Group.
  6. Remove the inbound rule with a scope of '0.0.0.0/0'

From Command Line

  1. Get the cluster security group:
aws eks describe-cluster --name <cluster_name> --query cluster.resourcesVpcConfig.clusterSecurityGroup
  1. Get the additional security groups:
aws eks describe-cluster --name <cluster_name> --query cluster.resourcesVpcConfig.securityGroupIds
  1. Get the security group inbound rules, for each security group id:
aws ec2 describe-security-groups --group-ids <security_group_id> --query 'SecurityGroups[*].IpPermissions'
  1. Remove the inbound rule with a scope of '0.0.0.0/0' from each security group:
aws ec2 revoke-security-group-ingress --group-id <security_group_id> --protocol <protocol> --port <port> --cidr 0.0.0.0/0

References

  1. https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html

EKS Cluster

Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service that you can use to run Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS MITRE ATT&CK Framework v11.3
  • CloudGuard AWS All Rules Ruleset

Updated 7 months ago