Description:
Amazon Elastic Kubernetes Service (EKS) control plane endpoints are the only way to access the Kubernetes API server for an EKS cluster. By default, these endpoints are public, which means that anyone can access them. This can be a security risk, as it allows unauthorized users to access the API server.
Rationale:
Restricting access to the EKS control plane endpoint can help to improve the security of your clusters. This will make it more difficult for unauthorized users to access the API server.
Impact:
Restricting access to the EKS control plane endpoint will prevent unauthorized users from accessing the Kubernetes API server. This can help to protect your cluster from unauthorized changes and attacks.
Default Value:
By default, EKS control plane endpoints are public. You must explicitly restrict access to them.
Pre-Requisite:
To follow this policy, you will need to have access to the AWS Management Console or the AWS CLI. You will also need to know the VPC that you want to use for the EKS cluster.
Remediation Steps:
To remediate this issue, you can follow these steps:
- In the AWS Management Console, go to the EKS page.
- Select the cluster that you want to update.
- Click the Networking tab.
- For Private endpoint, select Enabled.
- For Public access, select Disabled.
- Click Save.
Test Plan:
To test that the policy has been implemented correctly, you can use the following steps:
- Check the EKS cluster logs to see if the private endpoint is being used.
- Verify that you cannot access the Kubernetes API server from outside of the VPC.
Implementation Plan:
The following are the steps on how to implement this policy:
- Identify the EKS clusters that are not created with private endpoints enabled and public access disabled.
- Enable private endpoints and disable public access for the EKS clusters.
- Test that the policy has been implemented correctly.
AWS CLI Process:
To enable private endpoints and disable public access for an EKS cluster using the AWS CLI, you can use the following command:
aws eks update-cluster --name my-cluster --enable-private-endpoint --disable-public-access
Using AWS GUI:
To enable private endpoints and disable public access for an EKS cluster using the AWS GUI, you can follow these steps:
- Go to the AWS Management Console.
- Click on the EKS service.
- Click on the Clusters tab.
- Select the cluster that you want to update.
- Click on the Networking tab.
- For Private endpoint, select Enabled.
- For Public access, select Disabled.
- Click on the Save button.
Backout Plan:
To revoke the changes that you made to the private endpoint configuration in an EKS cluster, you can follow these steps:
- In the AWS Management Console, go to the EKS page.
- Select the cluster that you want to update.
- Click the Networking tab.
- For Private endpoint, select Disabled.
- For Public access, select Enabled.
- Click Save.
Note:
- You can also use the AWS CLI or the AWS GUI to enable private endpoints and disable public access for all EKS clusters in your account.
- If you disable private endpoints or enable public access, you will lose the ability to restrict access to the Kubernetes API server to your VPC.
Reference:
- AWS documentation on EKS private endpoints: https://docs.aws.amazon.com/eks/latest/userguide/private-clusters.html
Section 2:
- Tags: security, EKS, private endpoint, public access
- Keywords: remediation, backout, policy, cluster