Disable Remote Access to EKS Cluster Node Groups

Risk Level: High (not acceptable risk)

To enhance EKS cluster security, ensure that remote access to the cluster node groups is disabled. By disabling remote access, you prevent unauthorized access and potential breaches to the cluster's resources and sensitive data. This mitigates the risk of malicious actors gaining control over your infrastructure and helps maintain the integrity and confidentiality of your EKS cluster and its data.

Security

Operational
excellence

Instead of enabling SSH remote access by default, it is recommended to follow security best practices and configure remote access on a case-by-case basis, based on specific needs and requirements. If remote access is really required, consider implementing additional security measures such as strong authentication, secure network connections via security groups, and regular auditing and monitoring of access logs.

Audit

To determine if remote access to your Amazon EKS cluster node groups is disabled, perform the following actions:

Using AWS Console

Sign in to the AWS Management Console.
Navigate to Amazon Elastic Kubernetes Service console at https://console.aws.amazon.com/eks/.
In the main navigation panel, under Amazon Elastic Kubernetes Service, choose Clusters.
Click on the name (link) of the Amazon EKS cluster that you want to examine.
Select the Compute tab to access the compute resources provisioned for the selected cluster.
Click on the name (link) of the node group that you want to examine.
Select the Details tab and check the configuration status available for the Configure remote access to nodes attribute. If the configuration status is set to on, the SSH remote access to the selected Amazon EKS cluster node group is not disabled.
Repeat steps no. 6 and 7 for each node group provisioned for the selected EKS cluster.
Repeat steps no. 4 - 8 for each Amazon EKS cluster available within the current AWS region.
Change the AWS cloud region from the top navigation bar and repeat the Audit process for other AWS regions.

Using AWS CLI

Run list-clusters command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon EKS cluster available in the selected AWS region:
```
aws eks list-clusters
  --region us-east-1
  --output table
  --query 'clusters'
```

The command output should return a table with the requested EKS cluster names:

---------------------------
|      ListClusters       |
+-------------------------+
| cc-eks-webapp-cluster   |
| cc-eks-project5-cluster |
+-------------------------+

Run list-nodegroups command (OSX/Linux/UNIX) with custom query filters to describe the name of each node group provisioned for the selected Amazon EKS cluster:
```
aws eks list-nodegroups 
  --region us-east-1 
  --cluster-name cc-eks-webapp-cluster 
  --query 'nodegroups'
```
The command output should return the requested EKS cluster node group names:
```
[
	"cc-webapp-cluster-node-001",
	"cc-webapp-cluster-node-002"
]
```
Run describe-nodegroup command (OSX/Linux/UNIX) with custom output filtering to describe the name of the EC2 SSH key that provides access for SSH communication with the nodes within the selected node group:
```
aws eks describe-nodegroup 
  --region us-east-1 
  --cluster-name cc-eks-webapp-cluster 
  --nodegroup-name cc-webapp-cluster-node-001 
  --query 'nodegroup.remoteAccess.ec2SshKey'
```
The command output should return the name of the SSH key configured for remote access:
```
"eks-ssh-key"
```
If the describe-nodegroup command output returns the name of the SSH key configured for remote access, as shown in the output example above, the SSH remote access to the selected Amazon EKS cluster node group is not disabled.
Repeat steps no. 5 and 6 for each node group provisioned for the selected EKS cluster.
Repeat steps no. 3 - 7 for each Amazon EKS cluster available in the selected AWS region.
Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other AWS regions.

Remediation / Resolution

To disable SSH remote access to an Amazon EKS cluster node group, you must re-create the node group with the appropriate access configuration. To launch a new EKS cluster node group, perform the following actions:

Using AWS Console

Sign in to the AWS Management Console.
Navigate to Amazon Elastic Kubernetes Service console at https://console.aws.amazon.com/eks/.
In the main navigation panel, under Amazon Elastic Kubernetes Service, choose Clusters.
Click on the name (link) of the Amazon EKS cluster that you want to examine.
Select the Compute tab to access the compute resources provisioned for the selected cluster.
Choose Add node group from the Node groups section and follow the setup wizard to configure the new node group based on your application requirements.
For Step 3 Specify networking, choose one of the following options:
1. Switch off the Configure remote access to nodes button to disable remote access to your node group entirely.
2. Switch on the Configure remote access to nodes button, choose Enable, select an EC2 SSH key to allow secure remote access to your nodes from the EC2 Key Pair dropdown list, choose Selected security groups for Allow remote access from, and select the security group(s) that can be used to restrict which source IPs can remotely access the nodes within the node group, from the Security groups list.
Once all the required settings are configured, choose Create to launch your new Amazon EKS cluster node group.
To remove the non-compliant node group from your EKS cluster, select the node group that you want to remove and choose Delete. To confirm deletion, type the node group name in the required field, and choose Delete to confirm the resource removal.
Repeat steps no. 6 - 9 for each EKS cluster node group that you want to re-create.
Repeat steps no. 4 – 10 for each Amazon EKS cluster provisioned within the current AWS region.
Change the AWS cloud region from the top navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

Run create-nodegroup command (OSX/Linux/UNIX) using the name of the Amazon EKS cluster that you want to configure as the identifier parameter, to create a new node group for the selected EKS cluster. To disable remote access entirely, exclude the --remote-access parameter from the create-nodegroup command request. To configure the source IP ranges that can remotely access the nodes within the node group, specify the required SSH key and the security group(s) that can control which trusted source IPs can remotely access the nodes, e.g. --remote-access ec2SshKey="eks-ssh-key",sourceSecurityGroups="sg-01234abcd1234abcd":
```
aws eks create-nodegroup 
  --region us-east-1 
  --cluster-name cc-eks-webapp-cluster 
  --nodegroup-name cc-webapp-cluster-node-003 
  --instance-types t3.medium 
  --subnets subnet-0abcd1234abcd1234 subnet-01234abcd1234abcd 
  --node-role arn:aws:iam::466594415815:role/cc-eks-node-role
```

The command output should return the configuration information available for the new node group:

{
	"nodegroup": {
		"nodegroupName": "cc-webapp-cluster-node-003",
		"nodegroupArn": "arn:aws:eks:us-east-1:123456789012:nodegroup/cc-eks-webapp-cluster/cc-webapp-cluster-node-003/abcd1234-abcd-1234-abcd-1234abcd1234",
		"clusterName": "cc-eks-webapp-cluster",
		"version": "1.27",
		"releaseVersion": "1.27.1-20230607",
		"createdAt": "2023-06-29T13:36:39.930000+00:00",
		"modifiedAt": "2023-06-29T13:36:39.930000+00:00",
		"status": "CREATING",
		"capacityType": "ON_DEMAND",
		"scalingConfig": {
			"minSize": 1,
			"maxSize": 2,
			"desiredSize": 2
		},
		"instanceTypes": [
			"t3.medium"
		],
		"subnets": [
			"subnet-0abcd1234abcd1234",
			"subnet-01234abcd1234abcd"
		],
		"amiType": "AL2_x86_64",
		"nodeRole": "arn:aws:iam::123456789012:role/cc-eks-node-role",
		"diskSize": 20,
		"health": {
			"issues": []
		},
		"updateConfig": {
			"maxUnavailable": 1
		},
		"tags": {}
	}
}

To remove the non-compliant node group from your Amazon EKS cluster, run delete-nodegroup command (OSX/Linux/UNIX):

aws eks delete-nodegroup 
  --region us-east-1 
  --cluster-name cc-eks-webapp-cluster 
  --nodegroup-name cc-webapp-cluster-node-001

The command output should return the information available for the deleted node group:

{
	"nodegroup": {
		"nodegroupName": "cc-webapp-cluster-node-001",
		"nodegroupArn": "arn:aws:eks:us-east-1:123456789012:nodegroup/cc-eks-webapp-cluster/cc-webapp-cluster-node-003/abcd1234-abcd-1234-abcd-1234abcd1234",
		"clusterName": "cc-eks-webapp-cluster",
		"version": "1.27",
		"releaseVersion": "1.27.1-20230607",
		"createdAt": "2023-06-29T09:48:06.504000+00:00",
		"modifiedAt": "2023-06-29T14:37:47.087000+00:00",
		"status": "CREATING",
		"capacityType": "ON_DEMAND",
		"scalingConfig": {
			"minSize": 1,
			"maxSize": 2,
			"desiredSize": 2
		},
		"instanceTypes": [
			"t3.medium"
		],
		"subnets": [
			"subnet-0abcd1234abcd1234",
			"subnet-01234abcd1234abcd"
		],
		"remoteAccess": {
			"ec2SshKey": "terminal.key"
		},
		"amiType": "AL2_x86_64",
		"nodeRole": "arn:aws:iam::123456789012:role/cc-eks-node-role",
		"diskSize": 20,
		"health": {
			"issues": []
		},
		"updateConfig": {
			"maxUnavailable": 1
		},
		"tags": {}
	}
}

Repeat steps no. 1 - 4 for each EKS cluster node group that you want to re-create.
Repeat steps no. 1 – 5 for each Amazon EKS cluster provisioned in the selected AWS region.
Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

AWS Command Line Interface (CLI) Documentation
list-clusters
list-nodegroups
describe-nodegroup
create-nodegroup
delete-nodegroup

Publication date Jul 12, 2023

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related EKS rules