Description:

Amazon Elastic Kubernetes Service (EKS) allows you to create clusters with private endpoints. This means that the Kubernetes API server will only be accessible from within your VPC. This can help to improve security by preventing unauthorized access to the API server.

Rationale:

By default, EKS clusters are created with public access enabled. This means that the Kubernetes API server is accessible from the public internet. This can be a security risk, as it allows anyone to access the API server.

Impact:

Enabling private endpoints for EKS clusters and disabling public access will help to improve the security of your clusters. This will make it more difficult for unauthorized users to access the API server.

Default Value:

By default, EKS clusters are created with public access enabled. You must explicitly enable private endpoints and disable public access.

Pre-Requisite:

To follow this policy, you will need to have access to the AWS Management Console or the AWS CLI. You will also need to know the VPC that you want to use for the EKS cluster.

Remediation Steps:

To remediate this issue, you can follow these steps:

  1. In the AWS Management Console, go to the EKS page.
  2. Select the cluster that you want to update.
  3. Click the Networking tab.
  4. For Private endpoint, select Enabled.
  5. For Public access, select Disabled.
  6. Click Save.

Test Plan:

To test that the policy has been implemented correctly, you can use the following steps:

  1. Check the EKS cluster logs to see if the private endpoint is being used.
  2. Verify that you cannot access the Kubernetes API server from outside of the VPC.

Implementation Plan:

The following are the steps on how to implement this policy:

  1. Identify the EKS clusters that are not created with private endpoints enabled and public access disabled.
  2. Enable private endpoints and disable public access for the EKS clusters.
  3. Test that the policy has been implemented correctly.

AWS CLI Process:

To enable private endpoints and disable public access for an EKS cluster using the AWS CLI, you can use the following command:

aws eks update-cluster --name my-cluster --enable-private-endpoint --disable-public-access

Using AWS GUI:

To enable private endpoints and disable public access for an EKS cluster using the AWS GUI, you can follow these steps:

  1. Go to the AWS Management Console.
  2. Click on the EKS service.
  3. Click on the Clusters tab.
  4. Select the cluster that you want to update.
  5. Click on the Networking tab.
  6. For Private endpoint, select Enabled.
  7. For Public access, select Disabled.
  8. Click on the Save button.

Backout Plan:

To revoke the changes that you made to the private endpoint configuration in an EKS cluster, you can follow these steps:

  1. In the AWS Management Console, go to the EKS page.
  2. Select the cluster that you want to update.
  3. Click the Networking tab.
  4. For Private endpoint, select Disabled.
  5. For Public access, select Enabled.
  6. Click Save.

Note:

  • You can also use the AWS CLI or the AWS GUI to enable private endpoints and disable public access for all EKS clusters in your account.
  • If you disable private endpoints or enable public access, you will lose the ability to restrict access to the Kubernetes API server to your VPC.

Reference:

  • AWS documentation on EKS private endpoints: https://docs.aws.amazon.com/eks/latest/userguide/private-clusters.html

Section 2:

  • Tags: security, EKS, private endpoint, public access
  • Keywords: remediation, backout, policy, cluster