EKS Private Endpoint Disabled

This plugin ensures that the private endpoint configuration for Amazon EKS clusters is enabled.

Risk Level: High

Description

This plugin ensures that the private endpoint configuration for EKS clusters is enabled. EKS private endpoint restricts public access to your cluster via the API server. Only devices connected to the VPC specified network can access the cluster.

About the Service

Amazon EKS: Amazon Elastic Kubernetes Service (Amazon EKS) is a managed container service for running and scaling Kubernetes applications in the cloud or on premises. With Amazon EKS, you can take advantage of all the performance, scale, reliability, and availability of AWS infrastructure, as well as integrations with AWS networking and security services. 

Impact

With a public endpoint, your cluster API can be accessible from the Internet. This implies that any anonymous user can access your EKS cluster API. 

This opens the opportunity for attackers to communicate with your cluster using Kubernetes management tools. 

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the Amazon EKS console. You can use this link (https://console.aws.amazon.com/eks) to navigate directly if already logged in. 
  3. From the list of clusters available, click on the Cluster name of the cluster you wish to investigate.
  4. Move to the Networking tab.
  5. Check the API server endpoint access section. If it is not set to “Private”, the cluster can be accessed publicly.
     
  6. Repeat the steps from 3 to 5 for all the clusters you wish to investigate.

    Steps for Remediation

Enable the private endpoint setting for all EKS clusters.

  1. Log In to your AWS Console.
  2. Open the Amazon EKS console. You can use this link (https://console.aws.amazon.com/eks) to navigate directly if already logged in. 
  3. From the list of clusters available, click on the Cluster name of the vulnerable cluster.
  4. Move to the Networking tab.
  5. Click on the Manage Networking button.
  6. Select the Private endpoint option from the options available to make sure your cluster is completely secure.
  7. Click on Save Changes when done.
  8. Repeat the steps from 3 to 7 for all the vulnerable clusters.

References