Ensure that your Amazon EKS cluster's Kubernetes API server endpoint is not publicly accessible from the Internet in order to avoid exposing private data and minimizing security risks. The level of access to your Kubernetes API server endpoints depends on your EKS application use cases, however, for most use cases Cloud Conformity recommends that the API server endpoints should be accessible only from within your AWS Virtual Private Cloud (VPC).
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- General Data Protection Regulation (GDPR)
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
During each cluster launch, Amazon EKS creates an endpoint for the managed Kubernetes API server that you can use to communicate with your newly created cluster. By default, this API server endpoint, managed by AWS EKS, can be accessed directly, outside of a Virtual Private Cloud (VPC), therefore every machine on the Internet can reach your EKS cluster through its public endpoint and this can increase the opportunity for malicious activities and attacks. To follow security best practices, you can completely disable public access to your API server endpoint so that it's not accessible anymore from the Internet.
To determine if your AWS EKS cluster endpoints are publicly accessible, perform the following actions:
Remediation / Resolution
To reconfigure the visibility of your EKS cluster API server endpoints to the Internet in order to disable public accessibility, perform the following actions:
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Publicly Accessible Cluster Endpoints
Risk level: Medium