Profile Applicability:

  • Level 1

Description:

Ensure that the file permissions for the etcd data directory are set to 700 or more restrictive. This ensures that only the root user or authorized service accounts can access, modify, or execute the directory, protecting it from unauthorized access or modifications.

Rationale:

Setting the file permissions to 700 or more restrictive on the etcd data directory ensures that only the root user has access to the directory. This is critical for the security of the Kubernetes control plane, as unauthorized access to etcd data could lead to potential compromise of the cluster's data.

Impact:

  • Pros:

    • Enhances security by restricting access to the etcd data directory to only the root user or authorized service accounts.

    • Prevents unauthorized users from accessing or tampering with the etcd data, protecting the integrity of Kubernetes.

  • Cons:

    • If permissions are misconfigured, it may cause operational issues or difficulties during system updates or troubleshooting, especially if necessary access is restricted.

Default Value:

By default, the etcd data directory may not have restrictive file permissions. Manual configuration is required to ensure the directory permissions are set to 700 or more restrictive.

Pre-Requisites:

  • Access to the etcd data directory.

  • Sufficient privileges (root or administrator access) to modify directory permissions.

  • A Kubernetes environment configured to secure etcd data management.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the Amazon Elastic Kubernetes Service (EKS) console.

  3. Navigate to the "Workloads" section and locate the node running the etcd service.

  4. Check the file permissions for the etcd data directory to ensure it is set to 700 or more restrictive.

  5. Verify that only authorized users (root) have access to the directory.

Using AWS CLI:

Use the following command to check the file permissions for the etcd data directory:

kubectl exec -it <etcd-pod-name> -- ls -ld /var/lib/etcd

Ensure that the directory permissions are set to 700 or more restrictive. If not, run the following command to set the permissions:

sudo chmod 700 /var/lib/etcd

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the EKS service and navigate to the "Workloads" section.

  3. Locate the node running the etcd service.

  4. Review the directory permissions for the etcd data directory.

  5. If the permissions are not set to 700 or more restrictive, modify the permissions by accessing the node and updating the directory permissions.

Using AWS CLI:

Identify the node where the etcd data directory is located:

kubectl get nodes

Access the node and check the directory permissions:

kubectl exec -it <etcd-pod-name> -- ls -ld /var/lib/etcd

If needed, change the directory permissions:

sudo chmod 700 /var/lib/etcd

Backout Plan:

Using AWS Console:

  1. Sign in to the AWS Console.

  2. Navigate to the Kubernetes environment and locate the node where the etcd data directory is stored.

  3. Review the etcd data directory permissions.

  4. If necessary, modify the permissions to ensure they meet the security standards.

  5. Confirm that the permissions changes are applied successfully.

Using AWS CLI:

To revert the directory permissions to a less restrictive setting, run the following command:

sudo chmod 755 /var/lib/etcd

References: