EKS Security Groups

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: EKS-004

Ensure that the security groups associated with your Amazon Elastic Kubernetes Service (EKS) clusters are configured to allow inbound traffic only on TCP port 443 (HTTPS) in order to protect your clusters against malicious activities such as brute-force attacks and meet compliance requirements within your organization.

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Opening all kind of ports inside your Amazon EKS security groups is not a best practice because it will allow attackers to use port scanners and other probing techniques to identify applications and services running on your EKS clusters and exploit their vulnerabilities.


Audit

To determine if your AWS EKS security groups allow access on ports other than TCP port 443, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon EKS dashboard at https://console.aws.amazon.com/eks/.

03 In the left navigation panel, under Amazon EKS, select Clusters.

04 Click on the name (link) of the EKS cluster that you want to examine to access the resource configuration settings.

05 On the selected EKS cluster settings page, within Networking section, click on the ID of the security group that you want to examine.

06 Select the Inbound Rules tab from the dashboard bottom panel.

07 Verify the value available in the Port Range column for each inbound/ingress rule defined. If one or more inbound rules are configured to allow access on ports different than TCP port 443 (HTTPS), the access configuration for the selected Amazon EKS security group is not compliant.

08 Repeat steps no. 5 – 7 to check the access configuration (i.e. opened ports) for the rest of the security groups attached to the selected EKS cluster.

09 Repeat steps no. 4 – 8 to verify the EKS security group access compliance for other Amazon EKS clusters available within the current region.

10 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run list-clusters command (OSX/Linux/UNIX) using custom query filters to list the names of all AWS EKS clusters available in the selected region:

aws eks list-clusters
	--region us-east-1
	--output table
	--query 'clusters'

02 The command output should return a table with the requested EKS cluster names:

-------------------------
|     ListClusters      |
+-----------------------+
|  cc-eks-prod-stack    |
|  cc-eks-mobile-app    |
+-----------------------+ 

03 Run describe-cluster command (OSX/Linux/UNIX) using the name of the EKS cluster that you want to examine as identifier parameter and custom query filters to get the ID(s) of the security group(s) associated with the selected Amazon EKS cluster:

aws eks describe-cluster
	--region us-east-1
	--name cc-eks-prod-stack
	--query 'cluster.resourcesVpcConfig.securityGroupIds'

04 The command output should return the requested security group identifiers (IDs):

[
    "sg-0abcd1234abcd1234"
]

05 Run describe-security-groups command (OSX/Linux/UNIX) using the name of the EKS security group that you want to examine as identifier parameter and custom query filters to expose the configuration of the inbound rule(s) defined for the selected security group:

aws ec2 describe-security-groups
	--region us-east-1
	--group-ids sg-0abcd1234abcd1234
	--query 'SecurityGroups[*].IpPermissions'

06 The command output should return the requested configuration information:

[
    [
        {
            "PrefixListIds": [],
            "FromPort": 22,
            "IpRanges": [
                {
                    "CidrIp": "0.0.0.0/0"
                }
            ],
            "ToPort": 22,
            "IpProtocol": "tcp",
            "UserIdGroupPairs": [],
            "Ipv6Ranges": []
        },
        {
            "PrefixListIds": [],
            "FromPort": 443,
            "IpRanges": [
                {
                    "CidrIp": "0.0.0.0/0"
                }
            ],
            "ToPort": 443,
            "IpProtocol": "tcp",
            "UserIdGroupPairs": [],
            "Ipv6Ranges": []
        }
    ]
]

Check FromPort and ToPort attributes values (highlighted) available for each inbound/ingress rule returned by the describe-security-groups command output. If one or more inbound rules are configured to allow access on ports different than TCP port 443 (HTTPS), as shown in the output example above, the access configuration for the selected Amazon EKS security group is not compliant.

07 Repeat step no. 5 and 6 to check the access configuration (i.e. opened ports) for the rest of the security groups associated with the selected EKS cluster.

08 Repeat steps no. 3 – 7 to verify the EKS security group access compliance for other Amazon EKS clusters available in the selected region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the audit process for other regions.

Remediation / Resolution

To reconfigure the security groups associated with your Amazon EKS clusters in order to allow access only on TCP port 443 (i.e. HTTPS), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Select the security group that you want to reconfigure (see Audit section part I to identify the right security group).

05 Select the Inbound tab from the dashboard bottom panel and click the Edit button to update inbound rules configuration.

06 Inside the Edit inbound rules dialog box, find the inbound rule(s) configured to allow access on ports different than TCP port 443, then click on the x button next to each rule to remove it from the security group. Once all non-compliant inbound rules are deleted from the selected security group, click Save to apply the changes.

07 Repeat steps no. 4 – 6 to update other security groups with non-compliant access configurations, associated with your Amazon EKS clusters.

08 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run revoke-security-group-ingress command (OSX/Linux/UNIX) using the ID of the security group that you want to reconfigure (see Audit section part II to identify the right EKS security group), to delete the inbound rule configured to allow access on port different than TCP port 443. The following revoke-security-group-ingress command example removes an inbound/ingress rule that allows access on TCP port 22 (SSH) from a security group identified by the ID "sg-0abcd1234abcd1234". Replace the --protocol, --port and –cidr parameter values with your own values (the command does not produce an output):

aws ec2 revoke-security-group-ingress
	--region us-east-1
	--group-id sg-0abcd1234abcd1234
	--protocol tcp
	--port 22
	--cidr 0.0.0.0/0

02 Repeat step no. 1 to update other security groups with non-compliant access configurations, associated with your Amazon EKS clusters.

03 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Sep 11, 2019

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

EKS Security Groups

Risk level: Medium