AWS_EKS_3

Ensure Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible.

Description

To protect Amazon EKS cluster from public access, private access can be enabled to the Kubernetes API server so that all communication between your nodes and the API server stays within your VPC.

Remediation

Ensure Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible.Perform the following to modify your cluster API server endpoint access :
1. From the Console Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters.
2.Choose the name of the cluster to display your cluster information.
3.Choose the Networking tab and choose Update/Manage Networking.
4.Choose Private or Public or Public and Private access.
5.Choose Update to finish.

From the Command line :
Complete the following steps using the AWS CLI version 1.25.87 or later. You can check your current version with aws –version. To install or upgrade the AWS CLI, see Installing the AWS CLI.
Update your cluster API server endpoint access with the following AWS CLI command.
Note :
1.The following command enables private access and public access from a single IP address for the API server endpoint. Replace single _CID_block with a single CIDR block, or a comma-separated list of CIDR blocks that you want to restrict network access to.
aws eks update-cluster-config –region region-code –name cluster_name –resources-vpc-config endpointPublicAccess = true/false, publicAccessCidrs = single _CID_block, endpointPrivateAccess = true/false

2.Monitor the status of your endpoint access update with the following command, using the cluster name and update ID that was returned by the previous command. Your update is complete when the status is shown as Successful.

aws eks describe-update –region region-code –name cluster_name –update-id update_id
References :https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html

Service

EKS

Severity

Medium

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!