Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Ensure EKS Clusters Have Private Endpoint Enabled and Public Access Disabled

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EKS-007

Ensure that your Amazon Elastic Kubernetes Service (EKS) clusters are configured with the Kubernetes API server private endpoint enabled and the public endpoint disabled, so that all communication with the API server stays within your Virtual Private Cloud (VPC). Amazon EKS clusters have two API server endpoints: a private endpoint (internal IP behind an internal load balancer in the cluster's VPC network) and a public endpoint (accessible from outside the VPC). By default, the public endpoint is enabled, allowing the Kubernetes API to be accessed from outside the cluster's VPC network. Disabling public access and enabling private access ensures that all Kubernetes API traffic remains within the VPC, significantly reducing the attack surface.

Security

Although the Kubernetes API requires an authorized token to perform sensitive actions, a vulnerability could potentially expose the API publicly with unrestricted access. An attacker may be able to identify the current cluster and Kubernetes API version and determine whether it is vulnerable to an attack. Unless required, disabling the public endpoint helps prevent such threats and requires the attacker to be on the cluster's VPC network to perform any attack on the Kubernetes API. Enabling the private endpoint ensures that nodes communicate with the API server using the private endpoint, keeping all traffic within the VPC.

Audit

To determine if your Amazon EKS clusters are configured with private endpoint access enabled and public endpoint access disabled, perform the following actions:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon EKS console at https://console.aws.amazon.com/eks/.

  3. In the main navigation panel, under Amazon Elastic Kubernetes Service, choose Clusters.

  4. Click on the name (link) of the Amazon EKS cluster that you want to examine.

  5. Select the Networking tab to access the networking settings available for the selected cluster.

  6. Check the API server endpoint access attribute. If the value is NOT set to Private only (i.e., it is set to Public or Public and Private), or if private endpoint access is not enabled, the cluster endpoint configuration is not compliant with CIS EKS Benchmark 5.4.2.

  7. Repeat steps no. 4 – 6 for each Amazon EKS cluster deployed within the current AWS region.

  8. Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

  1. Run list-clusters command (OSX/Linux/UNIX) with custom query filters to list the names of all Amazon EKS clusters available in the selected AWS region:

    aws eks list-clusters
	--region us-east-1
	--output table
	--query 'clusters'

  2. The command output should return a table with the requested EKS cluster identifiers:

    -------------------------
|     ListClusters      |
+-----------------------+
|  cc-eks-mobile-app    |
|  cc-eks-kube-stack    |
+-----------------------+

  3. Run describe-cluster command (OSX/Linux/UNIX) using the name of the Amazon EKS cluster that you want to examine as the identifier parameter and custom query filters to describe the Kubernetes API server endpoint access configuration for the selected cluster:

    aws eks describe-cluster
	--region us-east-1
	--name cc-eks-mobile-app
	--query 'cluster.resourcesVpcConfig.{endpointPublicAccess: endpointPublicAccess, endpointPrivateAccess: endpointPrivateAccess}'

  4. The command output should return the requested endpoint access configuration information:

    {
	"endpointPublicAccess": true,
	"endpointPrivateAccess": false
}

    If the "endpointPrivateAccess" attribute value is set to false or the "endpointPublicAccess" attribute value is set to true, as shown in the output example above, the selected Amazon EKS cluster is not configured with private endpoint enabled and public access disabled, and is therefore not compliant with CIS EKS Benchmark 5.4.2.

  5. Repeat steps no. 3 and 4 for each Amazon EKS cluster deployed in the selected AWS region.

  6. Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To reconfigure your Amazon EKS clusters to enable the private endpoint and disable public endpoint access, perform the following actions:

Note: Disabling public endpoint access means the Kubernetes API server will only be accessible from within the VPC. Ensure that you have configured VPN, AWS Direct Connect, or bastion host access to manage your cluster before disabling public access.

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon EKS console at https://console.aws.amazon.com/eks/.

  3. In the main navigation panel, under Amazon Elastic Kubernetes Service, choose Clusters.

  4. Click on the name (link) of the Amazon EKS cluster that you want to reconfigure.

  5. Select the Networking tab and choose Manage networking to edit the networking configuration settings for the selected cluster.

  6. For Cluster endpoint access, select Private to ensure that the Kubernetes API server endpoint access and worker node traffic stays within your VPC only, disabling all public access to the cluster API server.

  7. Choose Save changes to apply the configuration changes.

  8. Repeat steps no. 4 – 7 for each Amazon EKS cluster available within the current AWS region.

  9. Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

  1. Run update-cluster-config command (OSX/Linux/UNIX) using the name of the Amazon EKS cluster that you want to reconfigure as the identifier parameter, to disable the public access for the selected EKS cluster Kubernetes API server endpoint and enable private access so that the API server can be accessed only from within your VPC:

    aws eks update-cluster-config
	--region us-east-1
	--name cc-eks-mobile-app
	--resources-vpc-config endpointPublicAccess=false,endpointPrivateAccess=true

  2. The command output should return the information available for the new API server endpoint access configuration:

    {
	"update": {
		"status": "InProgress",
		"errors": [],
		"params": [
			{
				"type": "EndpointPublicAccess",
				"value": "false"
			},
			{
				"type": "EndpointPrivateAccess",
				"value": "true"
			}
		],
		"type": "EndpointAccessUpdate",
		"id": "abcd1234-abcd-abcd-abcd-1234abcd1234",
		"createdAt": 1567589177.445
	}
}

  3. Run describe-update command (OSX/Linux/UNIX) to confirm the configuration changes performed at the previous step. The EKS cluster API server endpoint access configuration update is complete when the update process status is set to "Successful":

    aws eks describe-update
	--region us-east-1
	--name cc-eks-mobile-app
	--update-id abcd1234-abcd-abcd-abcd-1234abcd1234
	--query 'update.status'

  4. The command output should return the requested update status:

    "Successful"

  5. Repeat steps no. 1 – 4 for each Amazon EKS cluster available in the selected AWS region.

  6. Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Mar 5, 2026

Related EKS rules