EKS Cluster should have public access limited and nodes should not be publicly accessible

Description

This rule ensures EKS clusters follow security best practices for network access control. Only clusters in the ACTIVE status are assessed. The rule performs two main checks and will FAIL if any of these conditions are true:

Cluster endpoint is publicly accessible When control plane public access is enabled in an EKS cluster, it should be limited to a specific set of CIDRs. For security, public access should be limited to only the bare minimum set of IPs.

This part of the check will fail if any of these conditions are true:

  • Private endpoint access is disabled (resources_vpc_config.endpoint_private_access: false).
  • Public access is enabled with unrestricted CIDRs (0.0.0.0/0 in resources_vpc_config.public_access_cidrs).
  • Public access is enabled but no CIDRs are specified (resources_vpc_config.public_access_cidrs is null/undefined).

Nodes are located in public subnets EKS nodes should not be placed in public subnets. Nodes in public subnets may have inbound internet access which increases the attack surface and violates security best practices. A subnet is considered public if it automatically assigns public IP addresses and has a route to an internet gateway (IGW).

This part of the check will fail if any of these conditions are true:

  • Any managed nodegroup is configured to deploy instances in a public subnet.
  • Any self-managed node has a network interface in a public subnet. Self-managed nodes are defined as running EC2 instances in the same VPC as the EKS cluster, with the tag kubernetes.io/cluster/<cluster_name>:owned.

Note: For node subnet assessment, only nodes from EKS managed nodegroups or self-managed EC2 instances are assessed. Nodes created through the following services are not assessed:

  • Amazon EKS Hybrid Nodes
  • Amazon EKS on AWS Outposts
  • AWS Fargate
  • EKS Anywhere

Remediation

For guidance on remediating clusters with endpoint configuration issues, refer to the Modifying cluster endpoint access section of the Amazon EKS User Guide. For guidance on node group VPC configuration, refer to the VPC and Subnet Considerations section of the Amazon EKS User Guide.