Ensure public access is disabled for AWS Elastic Kubernetes Service (EKS) API servers

MEDIUM

Description

Allowing unrestricted, public access to cloud services could open an application up to external attack. Disallowing this access is typically considered best practice.

Remediation

In AWS Console -

Sign in to the AWS Console and go to the Amazon EKS console.
Select the cluster you want.
Under Networking, click Update.
Enable private access for your cluster's Kubernetes API server endpoint if you wish to have this available on your VPC.
Disable public access for your cluster's Kubernetes API server endpoint.

In Terraform -

In the aws_eks_cluster resource, set the vpc_config.endpoint_private_access field to true to enable private access if you wish to have this available on your VPC.
Set the vpc_config.endpoint_public_access field to false to disable public access.

References:
https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#endpoint_private_access
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#endpoint_public_access

Policy Details

Rule Reference ID: AC_AWS_0101

CSP: AWS

Remediation Available: Yes

Domain: Infrastructure Security

Resource: aws_eks_cluster

Resource Category: Compute

Resource Type: Elastic Kubernetes Service (EKS)

Frameworks

GDPR
HIPAA
ISO-27001
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0