Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

EKS Cluster Endpoint Public Access

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EKS-001

Ensure that your Amazon EKS cluster has private endpoint access enabled and that the Kubernetes API server endpoint is not publicly accessible from the Internet, in order to avoid exposing private data and minimizing security risks. The level of access to your Kubernetes API server endpoints depends on your EKS application use cases, however, for most use cases Cloud Conformity recommends that private endpoint access must be enabled and that the API server endpoints should be accessible only from within your AWS Virtual Private Cloud (VPC). Enabling private endpoint access is a mandatory control required by CIS Amazon EKS Benchmark v1.8.0 (5.4.1).

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • GDPR
  • APRA
  • MAS

For further details on compliance standards supported by TrendAI Vision One™ Cloud Risk Management, see here.

Security

During each cluster launch, Amazon EKS creates an endpoint for the managed Kubernetes API server that you can use to communicate with your newly created cluster. By default, this API server endpoint, managed by AWS EKS, can be accessed directly, outside of a Virtual Private Cloud (VPC), therefore every machine on the Internet can reach your EKS cluster through its public endpoint and this can increase the opportunity for malicious activities and attacks. To follow security best practices, you can completely disable public access to your API server endpoint so that it's not accessible anymore from the Internet.

Audit

To determine if your Amazon EKS cluster endpoints are publicly accessible, perform the following actions:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon EKS console at https://console.aws.amazon.com/eks/.

  3. In the main navigation panel, under Amazon Elastic Kubernetes Service, choose Clusters.

  4. Click on the name (link) of the Amazon EKS cluster that you want to examine.

  5. Select the Networking tab to access the networking settings available for the selected cluster.

  6. Check the API server endpoint access and Public access source allowlist attributes to determine if the cluster endpoint is exposed to the Internet. If the API server endpoint access does NOT include Private (i.e., is set to Public only), or if Private endpoint access is not enabled, the cluster is non-compliant. Additionally, if the API server endpoint access is set to Public or Public and Private and the Public access source allowlist is set to 0.0.0.0/0 (open to all traffic), the selected Amazon EKS cluster API server endpoint is publicly accessible to any source address and prone to security risks.

  7. Repeat steps no. 4 – 6 for each Amazon EKS cluster deployed within the current AWS region.

  8. Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

  1. Run list-clusters command (OSX/Linux/UNIX) with custom query filters to list the names of all Amazon EKS clusters available in the selected AWS region:

    aws eks list-clusters
	--region us-east-1
	--output table
	--query 'clusters'

  2. The command output should return a table with the requested EKS cluster identifiers:

    -------------------------
|     ListClusters      |
+-----------------------+
|  cc-eks-mobile-app    |
|  cc-eks-kube-stack    |
+-----------------------+

  3. Run describe-cluster command (OSX/Linux/UNIX) using the name of the Amazon EKS cluster that you want to examine as the identifier parameter and custom query filters to describe the Kubernetes API server endpoint access configuration and public access allowlist values available for the selected cluster:

    aws eks describe-cluster
	--region us-east-1
	--name cc-eks-mobile-app
	--query 'cluster.resourcesVpcConfig.{endpointPublicAccess: endpointPublicAccess, endpointPrivateAccess: endpointPrivateAccess, publicAccessCidrs: publicAccessCidrs}'

  4. The command output should return the requested endpoint access configuration information:

    {
	"endpointPublicAccess": true,
	"endpointPrivateAccess": false,
	"publicAccessCidrs": [
		"0.0.0.0/0"
	]
}

    If the "endpointPrivateAccess" attribute value is set to false, or the "endpointPublicAccess" attribute value is set to true and the "publicAccessCidrs" attribute value includes "0.0.0.0/0", as shown in the output example above, the selected Amazon EKS cluster is non-compliant.

  5. Repeat steps no. 3 and 4 for each Amazon EKS cluster deployed in the selected AWS region.

  6. Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To reconfigure the visibility of your Amazon EKS cluster API server endpoints to the Internet in order to disable public accessibility, perform the following actions:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon EKS console at https://console.aws.amazon.com/eks/.

  3. In the main navigation panel, under Amazon Elastic Kubernetes Service, choose Clusters.

  4. Click on the name (link) of the Amazon EKS cluster that you want to reconfigure.

  5. Select the Networking tab and choose Manage networking to edit the networking configuration settings for the selected cluster.

  6. For Cluster endpoint access, choose one of the following options:

    1. Select Private to ensure that the cluster endpoint access and worker node traffic stays within your VPC only, thus minimizing the security risks. Enabling private endpoint access is mandatory for CIS Amazon EKS Benchmark v1.8.0 (5.4.1) compliance (Recommended). Choose Save changes to apply the changes.
    2. Select Public and private to enable the cluster endpoint public access from certain source addresses outside your VPC, but also retain worker node traffic inside your VPC. Choose Advanced settings and enter the specific source IP address(es) you wish to allow access. Ensure that you configure the rule settings to safelist your chosen source IP address(es) on your Trend Cloud One™ – Conformity account console. Choose Save changes to apply the changes.
    3. While not recommended, if your use case requires to allow public access to specific source addresses and direct work node traffic to a public endpoint, select Public. Choose Advanced settings and enter the specific source IP address(es) you wish to allow access. Ensure that you configure the rule settings to safelist your chosen source IP address(es) on your Conformity account console. Choose Save changes to apply the changes.

  7. Repeat steps no. 4 – 6 for each Amazon EKS cluster available within the current AWS region.

  8. Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

  1. Run update-cluster-config command (OSX/Linux/UNIX) using the name of the Amazon EKS cluster that you want to reconfigure as the identifier parameter, to disable the public access for the selected EKS cluster Kubernetes API server endpoint and enable private access so that the API server can be accessed only from within your VPC:

    aws eks update-cluster-config
	--region us-east-1
	--name cc-eks-mobile-app
	--resources-vpc-config endpointPublicAccess=false,endpointPrivateAccess=true,publicAccessCidrs=["123.123.123.123/32"]

  2. The command output should return the information available for the new API server endpoint access configuration:

    {
	"update": {
		"status": "InProgress",
		"errors": [],
		"params": [
			{
				"type": "EndpointPublicAccess",
				"value": "false"
			},
			{
				"type": "EndpointPrivateAccess",
				"value": "true"
			},
			{
				"type": "PublicAccessCidrs",
				"value": "[\"123.123.123.123/32\"]"
			}
		],
		"type": "EndpointAccessUpdate",
		"id": "abcd1234-abcd-abcd-abcd-1234abcd1234",
		"createdAt": 1567589177.445
	}
}

  3. Run describe-update command (OSX/Linux/UNIX) to confirm the configuration changes performed at the previous step. The EKS cluster API server endpoint access configuration update is complete when the update process status is set to "Successful":

    aws eks describe-update
	--region us-east-1
	--name cc-eks-mobile-app
	--update-id abcd1234-abcd-abcd-abcd-1234abcd1234
	--query 'update.status'

  4. The command output should return the requested update status:

    "Successful"

  5. Repeat steps no. 1 – 4 for each Amazon EKS cluster available in the selected AWS region.

  6. Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Sep 11, 2019

Related EKS rules