Amazon EKS generates an endpoint for the Kubernetes API server during each cluster launch, which enables communication with the new cluster. The default configuration allows direct access to this API server endpoint, even from outside a Virtual Private Cloud (VPC). As a result, any machine on the internet can potentially reach the EKS cluster through its public endpoint, increasing the risk of malicious activities and attacks. To comply with security best practices, it is recommended to disable public access to the API server endpoint to prevent internet access. To minimize security risks and prevent exposure of private data, it's important to ensure that the Kubernetes API server endpoint for your Amazon EKS cluster is not publicly accessible from the internet. The level of access to the endpoint should be determined based on the specific use cases of your EKS application.
To ensure that your EKS cluster's Kubernetes API server endpoint is not publicly accessible, you can follow these remediation steps:
Once you have completed these steps, the Kubernetes API server endpoint for your EKS cluster will only be accessible from within your VPC, and not from the internet. It's important to regularly review your security group rules to ensure that access to the endpoint is only granted to authorized users and to detect any unauthorized attempts to access the endpoint.