AWS EKS Security Groups Allow Access on Ports Other Than TCP Port 443

Description:

Amazon Elastic Kubernetes Service (EKS) provides a managed Kubernetes control plane that is typically accessed over TCP port 443, which is the standard port for HTTPS traffic. If security groups associated with an EKS cluster allow inbound access on ports other than TCP port 443, there could be potential security risks, including unauthorized access, data breaches, or exposure to vulnerabilities. It's essential to ensure that only necessary ports are open and that the EKS cluster's security posture is maintained.


Remediation:

1. Restrict Inbound Access to Necessary Ports:

AWS Management Console:
  • Navigate to the Amazon EKS service in the AWS Console.
  • Choose the EKS cluster you want to check.
  • Under the Configuration tab, in the Networking section, find the security group associated with the EKS control plane.
  • Click on the security group ID to navigate to the EC2 Security Groups section.
  • Review the inbound rules for the security group.
  • Remove or modify any rules that allow inbound access on ports other than TCP port 443. Ensure that the only port open to the broader internet (0.0.0.0/0) is port 443.
AWS CLI:

To describe the EKS cluster and get the security group:

aws eks describe-cluster --name YOUR_EKS_CLUSTER_NAME

With the security group ID from the output, describe the security group to check its inbound rules:

aws ec2 describe-security-groups --group-ids SECURITY_GROUP_ID

Review the inbound rules in the output. If modifications are required, use the aws ec2 revoke-security-group-ingress command to remove inappropriate rules.

Terraform:

If you're using Terraform to manage your EKS clusters and associated security groups, review the security group configuration:

resource "aws_security_group" "eks_sg" {
  # ... other security group configurations ...

  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  # Ensure no other unnecessary ingress blocks are present
}

Ensure that the security group configuration allows access only to the necessary ports, especially if they are exposed to the broader internet.


Recommendation:

Always ensure that EKS security groups are configured to allow only necessary access. In most scenarios, only TCP port 443 should be open for inbound traffic. Regularly audit security group configurations to check for and rectify any overly permissive rules. Use Rapticore RTM for suspicious security group changes or network activities.