Rule: EKS Clusters Endpoint Should Restrict Public Access
This rule ensures that EKS clusters endpoint restrict public access to enhance security measures.
| Rule | EKS clusters endpoint should restrict public access |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ High |
Rule Description
The rule states that the endpoint of EKS (Elastic Kubernetes Service) clusters should restrict public access to comply with the NIST Cybersecurity Framework (CSF) v1. This is important for maintaining the security and privacy of the clusters.
Troubleshooting Steps
If there are issues with restricting public access to the EKS clusters' endpoint, you can follow these troubleshooting steps:
- 1.Check the current security group configuration for the EKS clusters.
- 2.Verify if there are any inbound rules allowing public access to the endpoint.
- 3.Verify if the outbound rules are configured correctly to restrict public access.
- 4.Make sure that the network access control list (ACL) associated with the subnet allows the necessary traffic.
- 5.Check if any network load balancer, application load balancer, or ingress controllers are misconfigured, allowing public access.
- 6.Validate if the Kubernetes network policies are correctly set up to restrict public access.
Necessary Codes
There are certain necessary codes that need to be implemented to restrict public access to the EKS cluster endpoint.
- 1.Create/update Kubernetes network policies:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-public-access
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 0.0.0.0/0
This code snippet creates a network policy that denies all incoming traffic from any IP block. It ensures that only private traffic is allowed to access the EKS clusters' endpoint.
- 1.Configure Security Group rules for the EKS clusters:
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port <port> --source-security-group <source-security-group-id>
This command authorizes inbound traffic from a specific security group only, ensuring that public access is restricted.
Step-by-Step Guide for Remediation
Follow these step-by-step instructions to remediate the issue and restrict public access to the EKS clusters' endpoint:
- 1.Identify the EKS cluster that needs to be secured.
- 2.Review the current security group configuration associated with the cluster.
- 3.Update the security group to remove any existing inbound rules allowing public access to the required ports (e.g., 80, 443).
- 4.Implement network policies to deny all incoming traffic from any IP block except for private addresses.
- Create a YAML file with the provided code snippet for the network policy.
- Apply the network policy using the following command:
kubectl apply -f network_policy.yaml
- 5.Validate if the network policies are correctly applied:
Ensure that the "deny-public-access" network policy is present and has the desired pod selector and ingress rules.kubectl get networkpolicy - 6.Update the security group associated with the EKS cluster to authorize inbound traffic only from specific security groups if required.
- Use the provided CLI command, replacing
and<security-group-id>
with the appropriate values.<source-security-group-id> - Repeat this step for each required port.
- 7.Test the access by attempting to connect to the EKS cluster's endpoint from a public IP address. Verify that the connection is denied.
- 8.Repeat the steps for each EKS cluster that needs public access restriction.
By following these steps, you will successfully restrict public access to the EKS cluster's endpoint, meeting the requirements of the NIST Cybersecurity Framework (CSF) v1.