Profile Applicability:
Level 1

Description:
This control ensures that Amazon Elastic Kubernetes Service (EKS) clusters are configured to use private API endpoints while disabling public access. Restricting the Kubernetes control plane endpoint to private access ensures that only resources within the organization’s VPC can communicate with the cluster API, preventing external exposure to unauthorized users or networks.

Rationale:
When the EKS API server endpoint is publicly accessible, it can be targeted by unauthorized users and automated scanning tools, leading to potential brute-force or denial-of-service attacks. Enabling private endpoints and disabling public access ensures that the Kubernetes API can only be reached over secure internal network connections. This configuration aligns with the principle of least privilege and helps meet security and compliance requirements under frameworks such as CIS, ISO 27001, SOC 2, and NIST 800-53.

Impact:
Positive Impact: Increases security by restricting API server access to internal networks and minimizing exposure to external threats.
Negative Impact: Administrators and developers outside the private network will require a secure VPN or Direct Connect connection to manage the EKS cluster.

Default Value:
By default, newly created EKS clusters have public endpoint access enabled and private endpoint access disabled unless explicitly configured.

Pre-Requisite:

  • IAM permissions required: eks:DescribeCluster, eks:UpdateClusterConfig.

  • A functioning private VPC with required subnets, route tables, and network access configurations.

Test Plan 
Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EKS → Clusters.

  3. Select the target EKS cluster.

  4. Under Networking, locate the Cluster endpoint access section.

  5. Verify that:

    • Private access is enabled.

    • Public access is disabled.

  6. If the EKS cluster has public access enabled, it is non-compliant.

Implementation Plan 
Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EKS → Clusters and select the cluster to update.

  3. Under the Networking tab, click Edit next to the Cluster endpoint access section.

  4. Choose the following configuration:

    • Enable private access.

    • Disable public access.

  5. Click Save changes.

  6. Wait for the update to complete and verify the new endpoint configuration.

  7. Update any external administration tools or CI/CD pipelines to connect via a secure VPN or Direct Connect link to the private endpoint.

Backout Plan:

  1. If necessary for troubleshooting, temporarily re-enable public endpoint access with authorized CIDR blocks.

  2. Once debugging is complete, immediately revert to private-only access and verify connectivity through private channels.

References: