-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* feat(cfg): add EKS 1.5.0 * fix(cfg): target map * fix: update eks job * fix: target mapping * feat: use CIS EKS 1.5.0 by default * fix: scored in node.yaml Signed-off-by: Peter Balogh <[email protected]> * doc: add CIS EKS 1.5.0 Signed-off-by: Peter Balogh <[email protected]> --------- Signed-off-by: Peter Balogh <[email protected]>
- Loading branch information
1 parent
df48da4
commit a38a3c5
Showing
13 changed files
with
1,000 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
--- | ||
## Version-specific settings that override the values in cfg/config.yaml | ||
## These settings are required if you are using the --asff option to report findings to AWS Security Hub | ||
## AWS account number is required. | ||
AWS_ACCOUNT: "<AWS_ACCT_NUMBER>" | ||
## AWS region is required. | ||
AWS_REGION: "<AWS_REGION>" | ||
## EKS Cluster ARN is required. | ||
CLUSTER_ARN: "<AWS_CLUSTER_ARN>" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
--- | ||
controls: | ||
version: "eks-1.5.0" | ||
id: 2 | ||
text: "Control Plane Configuration" | ||
type: "controlplane" | ||
groups: | ||
- id: 2.1 | ||
text: "Logging" | ||
checks: | ||
- id: 2.1.1 | ||
text: "Enable audit Logs (Automated)" | ||
remediation: | | ||
From Console: | ||
1. For each EKS Cluster in each region; | ||
2. Go to 'Amazon EKS' > 'Clusters' > '' > 'Configuration' > 'Logging'. | ||
3. Click 'Manage logging'. | ||
4. Ensure that all options are toggled to 'Enabled'. | ||
API server: Enabled | ||
Audit: Enabled | ||
Authenticator: Enabled | ||
Controller manager: Enabled | ||
Scheduler: Enabled | ||
5. Click 'Save Changes'. | ||
From CLI: | ||
# For each EKS Cluster in each region; | ||
aws eks update-cluster-config \ | ||
--region '${REGION_CODE}' \ | ||
--name '${CLUSTER_NAME}' \ | ||
--logging '{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}' | ||
scored: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,227 @@ | ||
--- | ||
controls: | ||
version: "eks-1.5.0" | ||
id: 5 | ||
text: "Managed Services" | ||
type: "managedservices" | ||
groups: | ||
- id: 5.1 | ||
text: "Image Registry and Image Scanning" | ||
checks: | ||
- id: 5.1.1 | ||
text: "Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider (Automated)" | ||
type: "manual" | ||
remediation: | | ||
To utilize AWS ECR for Image scanning please follow the steps below: | ||
To create a repository configured for scan on push (AWS CLI): | ||
aws ecr create-repository --repository-name $REPO_NAME --image-scanning-configuration scanOnPush=true --region $REGION_CODE | ||
To edit the settings of an existing repository (AWS CLI): | ||
aws ecr put-image-scanning-configuration --repository-name $REPO_NAME --image-scanning-configuration scanOnPush=true --region $REGION_CODE | ||
Use the following steps to start a manual image scan using the AWS Management Console. | ||
1. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories. | ||
2. From the navigation bar, choose the Region to create your repository in. | ||
3. In the navigation pane, choose Repositories. | ||
4. On the Repositories page, choose the repository that contains the image to scan. | ||
5. On the Images page, select the image to scan and then choose Scan. | ||
scored: false | ||
|
||
- id: 5.1.2 | ||
text: "Minimize user access to Amazon ECR (Manual)" | ||
type: "manual" | ||
remediation: | | ||
Before you use IAM to manage access to Amazon ECR, you should understand what IAM features | ||
are available to use with Amazon ECR. To get a high-level view of how Amazon ECR and other | ||
AWS services work with IAM, see AWS Services That Work with IAM in the IAM User Guide. | ||
scored: false | ||
|
||
- id: 5.1.3 | ||
text: "Minimize cluster access to read-only for Amazon ECR (Manual)" | ||
type: "manual" | ||
remediation: | | ||
You can use your Amazon ECR images with Amazon EKS, but you need to satisfy the following prerequisites. | ||
The Amazon EKS worker node IAM role (NodeInstanceRole) that you use with your worker nodes must possess | ||
the following IAM policy permissions for Amazon ECR. | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Action": [ | ||
"ecr:BatchCheckLayerAvailability", | ||
"ecr:BatchGetImage", | ||
"ecr:GetDownloadUrlForLayer", | ||
"ecr:GetAuthorizationToken" | ||
], | ||
"Resource": "*" | ||
} | ||
] | ||
} | ||
scored: false | ||
|
||
- id: 5.1.4 | ||
text: "Minimize Container Registries to only those approved (Manual)" | ||
type: "manual" | ||
remediation: | | ||
To minimize AWS ECR container registries to only those approved, you can follow these steps: | ||
1. Define your approval criteria: Determine the criteria that containers must meet to | ||
be considered approved. This can include factors such as security, compliance, | ||
compatibility, and other requirements. | ||
2. Identify all existing ECR registries: Identify all ECR registries that are currently | ||
being used in your organization. | ||
3. Evaluate ECR registries against approval criteria: Evaluate each ECR registry | ||
against your approval criteria to determine whether it should be approved or not. | ||
This can be done by reviewing the registry settings and configuration, as well as | ||
conducting security assessments and vulnerability scans. | ||
4. Establish policies and procedures: Establish policies and procedures that outline | ||
how ECR registries will be approved, maintained, and monitored. This should | ||
include guidelines for developers to follow when selecting a registry for their | ||
container images. | ||
5. Implement access controls: Implement access controls to ensure that only | ||
approved ECR registries are used to store and distribute container images. This | ||
can be done by setting up IAM policies and roles that restrict access to | ||
unapproved registries or create a whitelist of approved registries. | ||
6. Monitor and review: Continuously monitor and review the use of ECR registries | ||
to ensure that they continue to meet your approval criteria. This can include | ||
scored: false | ||
|
||
- id: 5.2 | ||
text: "Identity and Access Management (IAM)" | ||
checks: | ||
- id: 5.2.1 | ||
text: "Prefer using dedicated Amazon EKS Service Accounts (Automated)" | ||
type: "manual" | ||
remediation: | | ||
With IAM roles for service accounts on Amazon EKS clusters, you can associate an | ||
IAM role with a Kubernetes service account. This service account can then provide | ||
AWS permissions to the containers in any pod that uses that service account. With this | ||
feature, you no longer need to provide extended permissions to the worker node IAM | ||
role so that pods on that node can call AWS APIs. | ||
Applications must sign their AWS API requests with AWS credentials. This feature | ||
provides a strategy for managing credentials for your applications, similar to the way | ||
that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances. | ||
Instead of creating and distributing your AWS credentials to the containers or using the | ||
Amazon EC2 instance’s role, you can associate an IAM role with a Kubernetes service | ||
account. The applications in the pod’s containers can then use an AWS SDK or the | ||
AWS CLI to make API requests to authorized AWS services. | ||
The IAM roles for service accounts feature provides the following benefits: | ||
- Least privilege - By using the IAM roles for service accounts feature, you no | ||
longer need to provide extended permissions to the worker node IAM role so that | ||
pods on that node can call AWS APIs. You can scope IAM permissions to a | ||
service account, and only pods that use that service account have access to | ||
those permissions. This feature also eliminates the need for third-party solutions | ||
such as kiam or kube2iam. | ||
- Credential isolation - A container can only retrieve credentials for the IAM role | ||
that is associated with the service account to which it belongs. A container never | ||
has access to credentials that are intended for another container that belongs to | ||
another pod. | ||
- Audit-ability - Access and event logging is available through CloudTrail to help | ||
ensure retrospective auditing. | ||
scored: false | ||
|
||
- id: 5.3 | ||
text: "AWS EKS Key Management Service" | ||
checks: | ||
- id: 5.3.1 | ||
text: "Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS (Manual)" | ||
type: "manual" | ||
remediation: | | ||
This process can only be performed during Cluster Creation. | ||
Enable 'Secrets Encryption' during Amazon EKS cluster creation as described | ||
in the links within the 'References' section. | ||
scored: false | ||
|
||
- id: 5.4 | ||
text: "Cluster Networking" | ||
checks: | ||
- id: 5.4.1 | ||
text: "Restrict Access to the Control Plane Endpoint (Automated)" | ||
type: "manual" | ||
remediation: | | ||
By enabling private endpoint access to the Kubernetes API server, all communication | ||
between your nodes and the API server stays within your VPC. You can also limit the IP | ||
addresses that can access your API server from the internet, or completely disable | ||
internet access to the API server. | ||
With this in mind, you can update your cluster accordingly using the AWS CLI to ensure | ||
that Private Endpoint Access is enabled. | ||
If you choose to also enable Public Endpoint Access then you should also configure a | ||
list of allowable CIDR blocks, resulting in restricted access from the internet. If you | ||
specify no CIDR blocks, then the public API server endpoint is able to receive and | ||
process requests from all IP addresses by defaulting to ['0.0.0.0/0']. | ||
For example, the following command would enable private access to the Kubernetes | ||
API as well as limited public access over the internet from a single IP address (noting | ||
the /32 CIDR suffix): | ||
aws eks update-cluster-config --region $AWS_REGION --name $CLUSTER_NAME --resources-vpc-config endpointPrivateAccess=true,endpointPrivateAccess=true,publicAccessCidrs="203.0.113.5/32" | ||
Note: The CIDR blocks specified cannot include reserved addresses. | ||
There is a maximum number of CIDR blocks that you can specify. For more information, | ||
see the EKS Service Quotas link in the references section. | ||
For more detailed information, see the EKS Cluster Endpoint documentation link in the | ||
references section. | ||
scored: false | ||
|
||
- id: 5.4.2 | ||
text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Automated)" | ||
type: "manual" | ||
remediation: | | ||
By enabling private endpoint access to the Kubernetes API server, all communication | ||
between your nodes and the API server stays within your VPC. | ||
With this in mind, you can update your cluster accordingly using the AWS CLI to ensure | ||
that Private Endpoint Access is enabled. | ||
For example, the following command would enable private access to the Kubernetes | ||
API and ensure that no public access is permitted: | ||
aws eks update-cluster-config --region $AWS_REGION --name $CLUSTER_NAME --resources-vpc-config endpointPrivateAccess=true,endpointPublicAccess=false | ||
Note: For more detailed information, see the EKS Cluster Endpoint documentation link | ||
in the references section. | ||
scored: false | ||
|
||
- id: 5.4.3 | ||
text: "Ensure clusters are created with Private Nodes (Automated)" | ||
type: "manual" | ||
remediation: | | ||
aws eks update-cluster-config \ | ||
--region region-code \ | ||
--name my-cluster \ | ||
--resources-vpc-config endpointPublicAccess=true,publicAccessCidrs="203.0.113.5/32",endpointPrivateAccess=true | ||
scored: false | ||
|
||
- id: 5.4.4 | ||
text: "Ensure Network Policy is Enabled and set as appropriate (Automated)" | ||
type: "manual" | ||
remediation: | | ||
Utilize Calico or other network policy engine to segment and isolate your traffic. | ||
scored: false | ||
|
||
- id: 5.4.5 | ||
text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Manual)" | ||
type: "manual" | ||
remediation: | | ||
Your load balancer vendor can provide details on configuring HTTPS with TLS. | ||
scored: false | ||
|
||
|
||
- id: 5.5 | ||
text: "Authentication and Authorization" | ||
checks: | ||
- id: 5.5.1 | ||
text: "Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes or Upgrade to AWS CLI v1.16.156 or greater (Manual)" | ||
type: "manual" | ||
remediation: | | ||
Refer to the 'Managing users or IAM roles for your cluster' in Amazon EKS documentation. | ||
Note: If using AWS CLI version 1.16.156 or later there is no need to install the AWS | ||
IAM Authenticator anymore. | ||
The relevant AWS CLI commands, depending on the use case, are: | ||
aws eks update-kubeconfig | ||
aws eks get-token | ||
scored: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
--- | ||
controls: | ||
version: "eks-1.5.0" | ||
id: 1 | ||
text: "Control Plane Components" | ||
type: "master" |
Oops, something went wrong.