AWS EKS Cluster's Kubernetes API Server Endpoint Publicly Accessible

Description:

Amazon Elastic Kubernetes Service (EKS) provides a managed Kubernetes service. One of the critical components of Kubernetes is the API server, which exposes various administrative functionalities. If an EKS cluster's Kubernetes API server endpoint is accessible from the internet, it could be vulnerable to unauthorized access, brute-force attacks, and potential malicious activities. Ensuring restricted access to the API server endpoint is crucial for maintaining the security and integrity of the EKS cluster.

Remediation:

1. Restrict Public Access to the EKS Kubernetes API Server Endpoint:

AWS Management Console:
  • Navigate to the Amazon EKS service in the AWS Console.
  • Choose the EKS cluster you want to check.
  • Under the Configuration tab, review the Cluster endpoint access section.
  • Ensure that Public access is either disabled or appropriately restricted. It's recommended to enable Private access and only provide public access when absolutely necessary.
  • If changes are made, click on the Update button to save the new configuration.
AWS CLI:

To describe the EKS cluster and check the endpoint accessibility:

aws eks describe-cluster --name YOUR_EKS_CLUSTER_NAME

Review the endpointPublicAccess and endpointPrivateAccess attributes in the output. If modifications are required, update the cluster configuration:

aws eks update-cluster-config --name YOUR_EKS_CLUSTER_NAME --resources-vpc-config endpointPublicAccess=false,endpointPrivateAccess=true

This command configures the cluster to disable public access and enable private access.

Terraform:

If you're using Terraform to manage your EKS clusters, review and update your EKS cluster configuration:

resource "aws_eks_cluster" "example" {
  # ... other EKS configurations ...

  vpc_config {
    # ... other vpc configurations ...
    endpoint_private_access = true
    endpoint_public_access  = false
  }
}

Ensure the endpoint_public_access attribute is set to false and endpoint_private_access is set to true unless there's a specific reason for public access.

Recommendation:

Always restrict access to the EKS Kubernetes API server endpoint to minimize potential security risks. If public access is necessary, use network policies, AWS security groups, and Kubernetes RBAC to further limit and control the access. Additionally, always enable logging and monitoring, like AWS CloudTrail and Amazon CloudWatch, to detect and alert on suspicious activities. Consider integrating AWS Identity and Access Management (IAM) with Kubernetes RBAC for fine-grained access control.

Updated 5 months ago