Use the Conformity Knowledge Base AI to help improve your Cloud Posture

EKS Cluster Endpoint Public Access

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EKS-001

Ensure that your Amazon EKS cluster's Kubernetes API server endpoint is not publicly accessible from the Internet in order to avoid exposing private data and minimizing security risks. The level of access to your Kubernetes API server endpoints depends on your EKS application use cases, however, for most use cases Cloud Conformity recommends that the API server endpoints should be accessible only from within your AWS Virtual Private Cloud (VPC).

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • GDPR
  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When launching a cluster on Amazon EKS, an endpoint is automatically generated for the Kubernetes API server. This endpoint allows you to interact with your newly created cluster. By default, this API server endpoint is publicly accessible, meaning any machine on the internet can potentially connect to your EKS cluster using its public endpoint. This exposes your cluster to a higher risk of malicious activities and attacks. Restricting public access to the Kubernetes API endpoint managed by the EKS cluster is a security best practice that helps protect your cluster from unauthorized access and potential security threats. By not allowing public access to the cluster's Kubernetes API endpoint, you ensure that only authorized entities can interact with your Amazon EKS cluster.


Audit

To determine if your Amazon EKS cluster API endpoints are exposed, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Elastic Kubernetes Service console available at https://console.aws.amazon.com/eks/.

03 In the main navigation panel, under Amazon Elastic Kubernetes Service, choose Clusters.

04 Click on the name (link) of the Amazon EKS cluster that you want to examine.

05 Select the Networking tab to access the networking settings configured for the selected cluster.

06 Check the API server endpoint access and Public access source allowlist attributes to determine if the Kubernetes API endpoint is exposed to the Internet. If the API server endpoint access is set to Public or Public and Private and the Public access source allowlist is set to 0.0.0.0/0 (open to all traffic), the Kubernetes API endpoint configured for the selected Amazon EKS cluster is publicly accessible to the Internet.

07 Repeat steps no. 4 – 6 for each Amazon EKS cluster available within the current AWS region.

08 Change the AWS cloud region from the top navigation bar and repeat the Audit process for other AWS regions.

Using AWS CLI

01 Run list-clusters command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon EKS cluster available in the selected AWS region:

aws eks list-clusters
  --region us-east-1
  --output table
  --query 'clusters'

02 The command output should return a table with the requested EKS cluster names:

---------------------------
|      ListClusters       |
+-------------------------+
| cc-eks-webapp-cluster   |
| cc-eks-project5-cluster |
+-------------------------+

03 Run describe-cluster command (OSX/Linux/UNIX) using the name of the Amazon EKS cluster that you want to examine as the identifier parameter and custom query filters to describe the VPC network configuration used by the cluster control plane:

aws eks describe-cluster
  --region us-east-1
  --name cc-eks-webapp-cluster
  --query 'cluster.resourcesVpcConfig'

04 The command output should return the requested networking configuration information:

{
	"subnetIds": [
		"subnet-0abcd1234abcd1234",
		"subnet-01234abcd1234abcd"
	],
	"clusterSecurityGroupId": "sg-0abcd1234abcd1234",
	"vpcId": "vpc-01234abcd1234abcd",
	"endpointPublicAccess": true,
	"endpointPrivateAccess": false,
	"publicAccessCidrs": [
		"0.0.0.0/0"
	]
}

If the "endpointPublicAccess" attribute value is set to true and the "publicAccessCidrs" attribute value includes "0.0.0.0/0", as shown in the output example above, the Kubernetes API endpoint configured for the selected Amazon EKS cluster is publicly accessible.

05 Repeat steps no. 3 and 4 for each Amazon EKS cluster available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other AWS regions.

Remediation / Resolution

To disable public access to your Amazon EKS clusters by configuring the associated Kubernetes API endpoints, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Elastic Kubernetes Service console available at https://console.aws.amazon.com/eks/.

03 In the main navigation panel, under Amazon Elastic Kubernetes Service, choose Clusters.

04 Click on the name (link) of the Amazon EKS cluster that you want to configure.

05 Select the Networking tab and choose Manage networking to modify the networking configuration settings for the selected cluster.

06 For Cluster endpoint access, choose one of the following options:

  1. Choose Public and private to enable public access from certain source IP addresses outside your VPC, but also retain worker node traffic inside your VPC. Choose Advanced settings and enter the specific source IP address(es) you wish to allow access. Choose Save changes to apply the changes.
  2. Choose Private to ensure that the Kubernetes API endpoint access and worker node traffic stays within your VPC only. Choose Save changes to apply the configuration changes.
  3. (Optional) If your use case requires to allow public access to specific source addresses and direct work node traffic to a public endpoint, select Public, choose Advanced settings, and enter the specific source IP address(es) you wish to allow access. Choose Save changes to apply the changes.

07 Repeat steps no. 4 – 6 for each Amazon EKS cluster provisioned within the current AWS region.

08 Change the AWS cloud region from the top navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Run update-cluster-config command (OSX/Linux/UNIX) using the name of the Amazon EKS cluster that you want to reconfigure as the identifier parameter, to disable the public access to the selected Amazon EKS cluster and enable private access so that the Kubernetes API endpoint can be accessed only from within your VPC:

aws eks update-cluster-config
  --region us-east-1
  --name cc-eks-webapp-cluster
  --resources-vpc-config endpointPublicAccess=false,endpointPrivateAccess=true,publicAccessCidrs=["10.0.0.20/32"]

02 The command output should return the new VPC networking configuration information available for the cluster:

{
	"update": {
		"status": "InProgress",
		"errors": [],
		"params": [
			{
				"type": "EndpointPublicAccess",
				"value": "false"
			},
			{
				"type": "EndpointPrivateAccess",
				"value": "true"
			},
			{
				"type": "PublicAccessCidrs",
				"value": "[\"10.0.0.20/32\"]"
			}
		],
		"type": "EndpointAccessUpdate",
		"id": "abcd1234-abcd-abcd-abcd-1234abcd1234",
		"createdAt": 1567589877.330
	}
}

03 Run describe-update command (OSX/Linux/UNIX) to confirm the configuration changes performed at the previous step. The Kubernetes API endpoint configuration update is applied when the update process status is set to "Successful":

aws eks describe-update
  --region us-east-1
  --name cc-eks-webapp-cluster
  --update-id abcd1234-abcd-abcd-abcd-1234abcd1234
  --query 'update.status'

04 The command output should return the requested update status:

"Successful"

05 Repeat steps no. 1 – 4 for each Amazon EKS cluster provisioned in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date Sep 11, 2019