CloudWiki
Rules
Medium

Ensure EKS Public access is disabled

Security & Compliance
APRA
CIS
CISAWSF
CIS EKS
GDPR
HIPAA
HITRUST
MAS
NIST 800-53
PCI-DSS
Description

Amazon EKS generates an endpoint for the Kubernetes API server during each cluster launch, which enables communication with the new cluster. The default configuration allows direct access to this API server endpoint, even from outside a Virtual Private Cloud (VPC). As a result, any machine on the internet can potentially reach the EKS cluster through its public endpoint, increasing the risk of malicious activities and attacks. To comply with security best practices, it is recommended to disable public access to the API server endpoint to prevent internet access. To minimize security risks and prevent exposure of private data, it's important to ensure that the Kubernetes API server endpoint for your Amazon EKS cluster is not publicly accessible from the internet. The level of access to the endpoint should be determined based on the specific use cases of your EKS application.

Remediation

To ensure that your EKS cluster's Kubernetes API server endpoint is not publicly accessible, you can follow these remediation steps:

  1. Log in to the AWS Management Console and navigate to the Amazon EKS console.
  2. Select the EKS cluster for which you want to restrict access to the Kubernetes API server endpoint.
  3. Click on the "Cluster security groups" tab and locate the security group associated with the cluster's control plane.
  4. Click on the security group's name to open its properties.
  5. Under the "Inbound rules" tab, delete any rules that allow public access to the Kubernetes API server endpoint.
  6. Create a new rule that allows inbound traffic from the private IP range of your VPC on the port used by the Kubernetes API server endpoint (TCP port 443 by default).
  7. Click the "Save" button to save the changes.

Once you have completed these steps, the Kubernetes API server endpoint for your EKS cluster will only be accessible from within your VPC, and not from the internet. It's important to regularly review your security group rules to ensure that access to the endpoint is only granted to authorized users and to detect any unauthorized attempts to access the endpoint.

Enforced Resources
EKS
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.