Posted On: Jul 22, 2020
The new CIS Benchmark for Amazon EKS helps you accurately assess the secure configuration of nodes running as part of your Amazon EKS clusters.
Security is a critical consideration for configuring and maintaining Kubernetes clusters and applications. The Center for Internete Security (CIS) Kubernetes Benchmark provides good practice guidance on security configurations for self-managed Kubernetes clusters, but did not accurately help evaluate the security configuration status for the AWS-managed Kubernetes clusters run by Amazon EKS. Not all of the recommendations from the CIS Kubernetes Benchmark were applicable to EKS clusters as customers are not responsible for configuring or managing the control plane.
Now, the CIS Amazon EKS Benchmark provides accurate guidance for node security configurations for EKS. The benchmark is applicable to EC2 nodes (both managed and self-managed) where you are responsible for security configurations of Kubernetes components. The benchmark provides a standard, community-approved way to ensure that you have configured your Kubernetes cluster and nodes securely when using Amazon EKS.
The CIS Amazon EKS Benchmark consists of four sections; control plane logging configuration, node security configurations, policies, and managed services. The benchmark supports the Kubernetes versions currently available from Amazon EKS (v1.15 - v1.17) and can be run using kube-bench, a standard open source tool for checking configuration using the CIS benchmark on Kubernetes clusters.