Rule: EKS Clusters Endpoint Should Restrict Public Access
This rule ensures that EKS clusters endpoint restricts public access for security purposes.
| Rule | EKS clusters endpoint should restrict public access |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
NIST 800-171 Revision 2 - EKS Cluster Endpoint Public Access Restriction
Description:
The NIST 800-171 Revision 2 standard requires that the Elastic Kubernetes Service (EKS) clusters' endpoints should restrict public access. This means that the EKS cluster should only be accessible from within the private network and not be exposed to public networks or the internet. Restricting public access helps enhance the security of the EKS cluster and ensures the protection of sensitive data and resources.
Potential Impacts:
Failure to restrict public access to the EKS cluster endpoint can result in the following potential impacts:
- 1.Unauthorized access to the EKS cluster and its resources.
- 2.Exposure of sensitive data and configuration information.
- 3.Increased risk of malicious attacks, such as DDoS or unauthorized control.
Troubleshooting Steps:
Before implementing the required restriction on public access for the EKS cluster endpoint, it is essential to troubleshoot and analyze the existing setup. Follow these steps to troubleshoot:
- 1.Confirm the current EKS cluster endpoint configuration.
- 2.Check if the current VPC configuration allows public access to the EKS cluster endpoint.
- 3.Review the network security group rules associated with the EKS cluster and ensure they don't permit inbound access from the public internet.
- 4.Validate the current route table and ensure no public route or internet gateway is associated with the EKS cluster subnet.
Code Configuration:
To restrict public access to the EKS cluster endpoint, you can use the Amazon EKS Command-Line Interface (CLI) or AWS Management Console.
Here is an example of how to configure the EKS cluster endpoint to restrict public access using the AWS CLI:
- 1.
Open the terminal or command prompt.
- 2.
Install and configure the AWS CLI if you haven't done so already.
- 3.
Run the following command to update the public access CIDR block for the EKS cluster endpoint:
aws eks update-cluster-endpoints \ --region <your_region> \ --cluster-name <your_cluster_name> \ --public-access-cidrs <your_private_network_CIDR_block>Replace
with your AWS region,<your_region>
with the name of your EKS cluster, and<your_cluster_name>
with the CIDR block for your private network.<your_private_network_CIDR_block> - 4.
Once the command execution is successful, the EKS cluster endpoint will be updated to restrict public access.
- 5.
Validate the changes by reviewing the EKS cluster endpoint configuration and ensuring that it only allows private network access.
Remediation Steps:
To remediate the issue and ensure the EKS cluster endpoint restricts public access, follow these steps:
- 1.
Perform the troubleshooting steps mentioned earlier to identify any misconfigurations or issues related to public access to the EKS cluster endpoint.
- 2.
Once the troubleshooting is complete, follow the code configuration steps mentioned above to update the EKS cluster endpoint configuration and restrict public access.
- 3.
After executing the code, review the endpoint configuration to confirm that public access is restricted and limited to the private network.
- 4.
Monitor the EKS cluster and associated resources for any unauthorized access attempts or unexpected changes in network traffic.
- 5.
Regularly audit and review the security posture of the EKS cluster to ensure ongoing compliance with NIST 800-171 Revision 2.
By following these steps, you can remediate the issue and ensure that the EKS cluster endpoint restricts public access, thus complying with the NIST 800-171 Revision 2 standard.
Please note that the specific steps and commands may vary depending on your AWS environment setup and requirements. It is recommended to refer to the official AWS documentation or consult with an AWS expert for detailed guidance.