EKS Security Groups

01 Sign in to AWS Management Console.

02 Navigate to Amazon EKS dashboard at https://console.aws.amazon.com/eks/.

03 In the left navigation panel, under Amazon EKS, select Clusters.

04 Click on the name (link) of the EKS cluster that you want to examine to access the resource configuration settings.

05 On the selected EKS cluster settings page, within Networking section, click on the ID of the security group that you want to examine.

06 Select the Inbound Rules tab from the dashboard bottom panel.

07 Verify the value available in the Port Range column for each inbound/ingress rule defined. If one or more inbound rules are configured to allow access on ports different than TCP port 443 (HTTPS), the access configuration for the selected Amazon EKS security group is not compliant.

08 Repeat steps no. 5 – 7 to check the access configuration (i.e. opened ports) for the rest of the security groups attached to the selected EKS cluster.

09 Repeat steps no. 4 – 8 to verify the EKS security group access compliance for other Amazon EKS clusters available within the current region.

10 Change the AWS region from the navigation bar and repeat the process for other regions.

01 Run list-clusters command (OSX/Linux/UNIX) using custom query filters to list the names of all AWS EKS clusters available in the selected region:

aws eks list-clusters
	--region us-east-1
	--output table
	--query 'clusters'

02 The command output should return a table with the requested EKS cluster names:

-------------------------
|     ListClusters      |
+-----------------------+
|  cc-eks-prod-stack    |
|  cc-eks-mobile-app    |
+-----------------------+ 

03 Run describe-cluster command (OSX/Linux/UNIX) using the name of the EKS cluster that you want to examine as identifier parameter and custom query filters to get the ID(s) of the security group(s) associated with the selected Amazon EKS cluster:

aws eks describe-cluster
	--region us-east-1
	--name cc-eks-prod-stack
	--query 'cluster.resourcesVpcConfig.securityGroupIds'

04 The command output should return the requested security group identifiers (IDs):

[
    "sg-0abcd1234abcd1234"
]

05 Run describe-security-groups command (OSX/Linux/UNIX) using the name of the EKS security group that you want to examine as identifier parameter and custom query filters to expose the configuration of the inbound rule(s) defined for the selected security group:

aws ec2 describe-security-groups
	--region us-east-1
	--group-ids sg-0abcd1234abcd1234
	--query 'SecurityGroups[*].IpPermissions'

06 The command output should return the requested configuration information:

[
    [
        {
            "PrefixListIds": [],
            "FromPort": 22,
            "IpRanges": [
                {
                    "CidrIp": "0.0.0.0/0"
                }
            ],
            "ToPort": 22,
            "IpProtocol": "tcp",
            "UserIdGroupPairs": [],
            "Ipv6Ranges": []
        },
        {
            "PrefixListIds": [],
            "FromPort": 443,
            "IpRanges": [
                {
                    "CidrIp": "0.0.0.0/0"
                }
            ],
            "ToPort": 443,
            "IpProtocol": "tcp",
            "UserIdGroupPairs": [],
            "Ipv6Ranges": []
        }
    ]
]

07 Repeat step no. 5 and 6 to check the access configuration (i.e. opened ports) for the rest of the security groups associated with the selected EKS cluster.

08 Repeat steps no. 3 – 7 to verify the EKS security group access compliance for other Amazon EKS clusters available in the selected region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the audit process for other regions.

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Select the security group that you want to reconfigure (see Audit section part I to identify the right security group).

05 Select the Inbound tab from the dashboard bottom panel and click the Edit button to update inbound rules configuration.

06 Inside the Edit inbound rules dialog box, find the inbound rule(s) configured to allow access on ports different than TCP port 443, then click on the x button next to each rule to remove it from the security group. Once all non-compliant inbound rules are deleted from the selected security group, click Save to apply the changes.

07 Repeat steps no. 4 – 6 to update other security groups with non-compliant access configurations, associated with your Amazon EKS clusters.

08 Change the AWS region from the navigation bar and repeat the process for other regions.

01 Run revoke-security-group-ingress command (OSX/Linux/UNIX) using the ID of the security group that you want to reconfigure (see Audit section part II to identify the right EKS security group), to delete the inbound rule configured to allow access on port different than TCP port 443. The following revoke-security-group-ingress command example removes an inbound/ingress rule that allows access on TCP port 22 (SSH) from a security group identified by the ID "sg-0abcd1234abcd1234". Replace the --protocol, --port and –cidr parameter values with your own values (the command does not produce an output):

aws ec2 revoke-security-group-ingress
	--region us-east-1
	--group-id sg-0abcd1234abcd1234
	--protocol tcp
	--port 22
	--cidr 0.0.0.0/0

02 Repeat step no. 1 to update other security groups with non-compliant access configurations, associated with your Amazon EKS clusters.

03 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.