AWS EKS Best Practices

Best practice rules for Amazon Elastic Kubernetes Service (EKS)

• Check for the CoreDNS Add-On Version

  Ensure that the CoreDNS add-on version matches the EKS cluster's Kubernetes version.

• Disable Remote Access to EKS Cluster Node Groups

  Ensure that remote access to EKS cluster node groups is disabled.

• EKS Cluster Endpoint Public Access

  Ensure that AWS EKS cluster endpoint access isn't public and prone to security risks.

• EKS Cluster Node Group IAM Role Policies

  Ensure that EKS Cluster node groups are using appropriate permissions.

• EKS Security Groups

  Ensure that AWS EKS security groups are configured to allow incoming traffic only on TCP port 443.

• Enable CloudTrail Logging for Kubernetes API Calls

  Ensure that all Kubernetes API calls are logged using Amazon CloudTrail.

• Enable Cluster Access Management API

  Ensure that Cluster Access Management API is enabled for Amazon EKS clusters.

• Enable Envelope Encryption for EKS Kubernetes Secrets

  Ensure that envelope encryption of Kubernetes secrets using Amazon KMS is enabled.

• Enable Support for Network Policies

  Ensure that EKS clusters are using network policies for proper segmentation and security.

• Ensure EKS Clusters Are Created with Private Nodes

  Ensure that Amazon EKS cluster nodes are configured with private IP addresses only, without public IP addresses assigned.

• Ensure EKS Clusters Have Private Endpoint Enabled and Public Access Disabled

  Ensure that Amazon EKS clusters are configured with private endpoint access enabled and public endpoint access disabled to restrict Kubernetes API access to within the VPC.

• Kubernetes Cluster Logging

  Ensure that EKS control plane logging is enabled for your Amazon EKS clusters.

• Kubernetes Cluster Version

  Ensure that the latest version of Kubernetes is installed on your Amazon EKS clusters.

• Monitor Amazon EKS Configuration Changes

  Amazon EKS configuration changes have been detected within your Amazon Web Services account.

• Use AWS-managed policy to Manage Networking Resources

  Ensure that EKS cluster node groups implement the "AmazonEKS_CNI_Policy" managed policy.

• Use AWS-managed policy to access Amazon ECR Repositories

  Ensure that EKS cluster node groups implement the "AmazonEC2ContainerRegistryReadOnly" managed policy.

• Use AWS-managed policy to manage AWS resources

  Ensure that Amazon EKS clusters implement the "AmazonEKSClusterPolicy" managed policy.

• Use OIDC Provider for Authenticating Kubernetes API Calls

  Ensure that Amazon EKS clusters are using an OpenID Connect (OIDC) provider.