Ensure Security Groups for Amazon EKS Allow Only TCP Port 443 Inbound Traffic

Description:

Amazon Elastic Kubernetes Service (EKS) provides a managed Kubernetes service on AWS. The primary means of interaction with an EKS cluster's Kubernetes API server is through TCP port 443, which is used for HTTPS traffic. For enhanced security, it is recommended to configure security groups associated with EKS clusters to allow inbound traffic only on TCP port 443. This minimizes the exposure of the EKS clusters to unnecessary risks and potential attacks.


Remediation:

1. Identify EKS-associated Security Groups:

AWS Management Console:
  • Navigate to the EKS Dashboard.
  • Select your cluster and note down the associated VPC and security group IDs.

2. Review and Modify Inbound Rules:

AWS Management Console:
  • Navigate to the EC2 Dashboard.
  • In the navigation pane, choose Security Groups.
  • Search for the security group associated with your EKS cluster.
  • Review the inbound rules. Ensure only TCP port 443 is allowed for inbound traffic. Remove or modify any rules that allow traffic on other ports.

3. Regularly Monitor and Audit:

  • Periodically review the security groups associated with EKS clusters to ensure compliance with this guideline.
  • Set up Rapticore to be alerted if non-compliant configurations are detected.

Recommendation:

Always ensure that security groups for Amazon EKS clusters are tightly controlled to minimize unnecessary exposure. By allowing only essential traffic (TCP port 443 in this case) and regularly auditing your security group configurations, you can maintain a more secure and resilient EKS environment. Consider leveraging AWS-native tools and third-party solutions for ongoing monitoring and compliance checks.