AWS EKS cluster endpoint should have public access disabled

Docs > Datadog Security > OOTB Rules > AWS EKS cluster endpoint should have public access disabled

Description

Disable access to the Kubernetes API from outside the node network if it is not required for your specific use cases.

Default value

By default, the public endpoint is open to the internet and the private endpoint is disabled.

Rationale

In a private cluster, the master node has two endpoints, a private and public endpoint. The private endpoint is the internal IP address of the master, behind an internal load balancer in the master’s VPC network. Nodes communicate with the master using the private endpoint. The public endpoint enables the Kubernetes API to be accessed from outside the master’s VPC network.

Although Kubernetes API requires an authorized token to perform sensitive actions, a vulnerability could potentially expose the Kubernetes publically with unrestricted access. Additionally, an attacker may be able to identify the current cluster and Kubernetes API version and determine whether it is vulnerable to an attack.

Unless required by your use case, disabling public endpoint will help prevent such threats, and require the attacker to be on the master’s VPC network, with the required access to the Kubernetes API.

Impact

When implementing endpoint private access, be careful to ensure all desired networks are on the allowlist to prevent inadvertently blocking external access to your cluster’s control plane.

Remediation

By enabling private endpoint access to the Kubernetes API server, all communication between your nodes and the API server stays within your VPC. You can also limit the IP addresses that can access your API server from the internet, or completely disable internet access to the API server.

From the console

Follow the AWS Management Console instructions.

From the command line

Follow the AWS CLI instructions.

References

https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html