Profile Applicability:
Level 1
Description:
Amazon Elastic Kubernetes Service (EKS) is a managed service for running Kubernetes clusters on AWS. By default, EKS clusters are created with an option for public accessibility. A publicly accessible EKS cluster can expose the Kubernetes API server to the internet, which may expose your Kubernetes management interface to potential security threats. Ensuring that EKS clusters are not publicly accessible helps maintain a secure control plane by limiting access to the Kubernetes API only to trusted IP ranges or VPCs.
This SOP ensures that EKS clusters are restricted from public access and can only be accessed from internal AWS resources or through secured network connections.
Rationale:
Ensuring that EKS clusters are not publicly accessible provides several security benefits:
Reduced Attack Surface: Public access to the Kubernetes API increases the potential attack surface. Restricting access to trusted sources reduces the chances of unauthorized access.
Enhanced Security: Prevents external users or systems from interacting with the control plane, reducing the risk of attacks such as DDoS, brute-force attempts, or exploitation of unpatched vulnerabilities.
Compliance: Meets security and compliance requirements by ensuring your EKS control plane is not exposed to the internet.
Network Isolation: By ensuring that only trusted VPCs or specific IP addresses can access the Kubernetes API server, you improve network isolation and security within your environment.
Impact:
Pros:
Increased Security: Restricting access to trusted IPs ensures that unauthorized access is prevented.
Improved Control: Limits control plane access to specific networks, enhancing governance and security monitoring.
Compliance: Helps comply with security standards and best practices that require restricting public access to critical infrastructure.
Reduced Risk of Exposure: Limits the exposure of sensitive API access to only necessary internal resources.
Cons:
Management Complexity: While it enhances security, it may increase complexity by requiring you to manage access controls more carefully, such as configuring VPNs or private network connections.
Access Issues for Remote Users: If remote access to the EKS API server is required, it may require additional configuration, such as a VPN or AWS Direct Connect.
Default Value:
By default, EKS clusters may be publicly accessible during creation unless the user specifies that the control plane should be restricted to private access only.
Pre-requisite:
AWS IAM Permissions:
eks:DescribeCluster
eks:UpdateClusterConfig
eks:CreateCluster
eks:ModifyClusterAccess
AWS CLI installed and configured.
An active Amazon EKS cluster.
VPC configuration and security group setup.
Remediation
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to EKS under Services.
Select the EKS cluster to check its access settings.
In the Cluster Configuration, verify the Public Access setting.
If Public Access is enabled, disable it by unchecking the Enable Public Access box.
Ensure the VPC Security Groups and Route Tables are properly configured to allow only internal access.
Check the VPC CIDR and verify if only specific IP ranges or VPCs are allowed to access the cluster.
Using AWS CLI:
To check the access configuration of the EKS cluster, run:
aws eks describe-cluster --name <cluster-name> --query "cluster.resourcesVpcConfig.publicAccess"
If the output is true, the cluster is publicly accessible. To disable public access, run:
aws eks update-cluster-config --name <cluster-name> --resources-vpc-config endpointPublicAccess=false
To confirm that public access is disabled, run:
aws eks describe-cluster --name <cluster-name> --query "cluster.resourcesVpcConfig.publicAccess"
The output should now be false, indicating that public access is disabled.
Implementation Steps:
Using AWS Console:
Sign in to the AWS Management Console and navigate to Amazon EKS.
In the EKS Dashboard, select the EKS cluster you want to modify.
Under Configuration, click on Networking.
In the Public Access section, disable public access by unchecking Enable Public Access.
Ensure that the VPC is configured with appropriate security groups and routes for internal access only.
Save the changes and ensure no external access to the Kubernetes API.
Using AWS CLI:
Run the following command to disable public access:
aws eks update-cluster-config --name <cluster-name> --resources-vpc-config endpointPublicAccess=false
To confirm that public access has been disabled, run:
aws eks describe-cluster --name <cluster-name> --query "cluster.resourcesVpcConfig.publicAccess"
The expected output should be false.
Backout Plan:
Console Process
Check Cluster Endpoint Access:
Go to the Amazon EKS Console.
Select your EKS cluster and navigate to the Networking section.
Check the Endpoint Access settings.
Update Access Settings:
Change the endpoint to Private or configure it as Public and Private (only if required for specific use cases).
Save the changes.
CLI Process
View Current Endpoint Access Settings:
aws eks describe-cluster --name <cluster-name> --query "cluster.resourcesVpcConfig"
Update Endpoint Access to Private:
aws eks update-cluster-config \ --region <region> \ --name <cluster-name> \ --resources-vpc-config endpointPublicAccess=false,endpointPrivateAccess=true
Verify Changes:
aws eks describe-cluster --name <cluster-name> --query "cluster.resourcesVpcCo
Note :
VPN or AWS Direct Connect: If remote access to the EKS control plane is required, consider configuring a VPN connection or AWS Direct Connect to securely access the Kubernetes API server from remote locations.
Testing: Always verify access by attempting to connect to the Kubernetes API server from an external IP and ensuring that access is blocked.