---
title: >-
  An EKS Cluster's kubelet configuration file should have permissions set to 644
  or more restrictive
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > An EKS Cluster's kubelet configuration
  file should have permissions set to 644 or more restrictive
---

> For the complete documentation index, see [llms.txt](https://docs.datadoghq.com/llms.txt).

# An EKS Cluster's kubelet configuration file should have permissions set to 644 or more restrictive
 
## Description{% #description %}

EKS worker node kubelet configuration files referenced with the `--config` argument should have permissions set to `644` or more restrictive. Restricting the file permissions maintains the integrity of the configuration file and ensures it is writable only by system administrators.

## Remediation{% #remediation %}

Using the configuration file location identified during the audit (commonly `/etc/kubernetes/kubelet/config.json` on EKS), run the following command on each node to restrict the kubelet configuration file's permissions. See the [Amazon EKS security best practices documentation](https://docs.aws.amazon.com/eks/latest/userguide/security-best-practices.html) for more details.

```bash
chmod 644 /etc/kubernetes/kubelet/config.json
```

## References{% #references %}

- [Amazon EKS security best practices](https://docs.aws.amazon.com/eks/latest/userguide/security.html)
- [CIS Amazon EKS Benchmark](https://www.cisecurity.org/benchmark/kubernetes)
