AWS EKS cluster public network access should be restricted

Docs > Datadog Security > OOTB Rules > AWS EKS cluster public network access should be restricted

Description

Disable the EKS public endpoint unless your use case(s) require it. If it is a requirement, ensure that it is restricted to explicitly-defined authorized IP addresses to prevent access public access.

Default value

By default, the public endpoint is open to the internet and the private endpoint is disabled.

Rationale

Public endpoints are used to allow ingress traffic to your EKS API server from outside of its VPC or controlled networks. If your use case(s) does not require external access then consider disabling public endpoints entirely and leveraging private endpoints.

Allowing an IP address of 0.0.0.0/0 for a public endpoint means that it is open to any IP address on the internet. This significantly increases the risk of unauthorized access, security breaches, and potential attacks on your EKS cluster. By restricting access to specific IP addresses or ranges, you can limit the exposure of your cluster and reduce the attack surface.

Impact

When implementing endpoint private access, be careful to ensure all desired networks are connected to the VPC where the EKS cluster resides. For more details, see the remediation steps below.

Remediation

By enabling private endpoint access to the Kubernetes API server, all communication between your nodes and the API server stays within your VPC. You can also limit the IP addresses that can access your API server from the internet, or completely disable internet access to the API server.

From the console

Follow the AWS Management Console instructions.

From the command line

Follow the AWS CLI instructions.

References

https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html