Ensure that your Amazon EKS cluster's Kubernetes API server endpoint is not publicly accessible from the Internet in order to avoid exposing private data and minimizing security risks. The level of access to your Kubernetes API server endpoints depends on your EKS application use cases, however, for most use cases Cloud Conformity recommends that the API server endpoints should be accessible only from within your AWS Virtual Private Cloud (VPC).
This rule can help you with the following compliance standards:
- PCI
- HIPAA
- GDPR
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When launching a cluster on Amazon EKS, an endpoint is automatically generated for the Kubernetes API server. This endpoint allows you to interact with your newly created cluster. By default, this API server endpoint is publicly accessible, meaning any machine on the internet can potentially connect to your EKS cluster using its public endpoint. This exposes your cluster to a higher risk of malicious activities and attacks. Restricting public access to the Kubernetes API endpoint managed by the EKS cluster is a security best practice that helps protect your cluster from unauthorized access and potential security threats. By not allowing public access to the cluster's Kubernetes API endpoint, you ensure that only authorized entities can interact with your Amazon EKS cluster.
Audit
To determine if your Amazon EKS cluster API endpoints are exposed, perform the following operations:
Remediation / Resolution
To disable public access to your Amazon EKS clusters by configuring the associated Kubernetes API endpoints, perform the following operations:
References
- AWS Documentation
- Amazon EKS FAQs
- Amazon EKS clusters
- Amazon EKS VPC and subnet requirements and considerations
- Amazon EKS cluster endpoint access control
- AWS Command Line Interface (CLI) Documentation
- list-clusters
- describe-cluster
- update-cluster-config
- describe-update