Profile Applicability:
Level 1
Description:
This control ensures that access to the Amazon Elastic Kubernetes Service (EKS) Control Plane Endpoint is restricted to trusted IP ranges or private networks. By default, the EKS control plane endpoint can be exposed over the public internet, which increases the risk of unauthorized access, brute-force attempts, or denial-of-service attacks. Restricting access to specific IP ranges or using private-only endpoints ensures that the Kubernetes API server is reachable only by authorized networks and users.
Rationale:
The EKS Control Plane manages all cluster operations, and unrestricted access to it can lead to full cluster compromise if credentials are leaked or brute-forced. Restricting endpoint access to known IPs, internal VPCs, or through a private network (via VPN or AWS Direct Connect) ensures that only trusted sources can communicate with the API. This helps maintain secure administrative control over the Kubernetes cluster and aligns with best practices and compliance frameworks such as CIS, SOC 2, ISO 27001, and NIST 800-53.
Impact:
Positive Impact: Enhances the security of Kubernetes clusters by limiting control plane exposure to only authorized networks, reducing the likelihood of external attacks.
Negative Impact: Users and automation tools outside of approved IP ranges must use secure connectivity solutions (like VPN or Direct Connect) to access the cluster.
Default Value:
By default, EKS clusters are created with public endpoint access enabled and unrestricted access (0.0.0.0/0).
Pre-Requisite:
IAM permissions required: eks:DescribeCluster, eks:UpdateClusterConfig.
Knowledge of trusted IP addresses, VPC CIDR blocks, or private network ranges that require API access.
Test Plan
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to EKS → Clusters.
Select the desired cluster and open the Networking tab.
Under Cluster endpoint access, check the configuration:
Public access is enabled but restricted to a limited set of trusted IPs, or
Public access is disabled, and private access is enabled.
If the cluster allows public access from 0.0.0.0/0 or ::/0, it is non-compliant.
Implementation Plan
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to EKS → Clusters and select the target cluster.
Under Networking, click Edit next to Cluster endpoint access.
Update the configuration as follows:
If using a public endpoint, restrict access to specific trusted CIDR blocks only.
Preferably, enable private access and disable public access entirely.
Click Save changes to apply the configuration.
Verify connectivity to ensure the cluster API is reachable only from trusted IP ranges or private networks.
Backout Plan:
If cluster administrators lose connectivity after applying restrictions, temporarily re-enable public access with authorized CIDR blocks to restore connectivity.
Reconfigure secure remote access via VPN or Bastion Host before reapplying the restrictions.
References: