Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: AWS EKS CIS v 1.4 Compliance Spec #92

Merged
merged 3 commits into from
Mar 7, 2024
Merged

feat: AWS EKS CIS v 1.4 Compliance Spec #92

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7889a91
feat: add argo-workflows checks
AnaisUrlichs Feb 29, 2024
ea20492
feat: add aws eks cis benchmark compliance spec v 1.4 to the trivy co…
AnaisUrlichs Mar 6, 2024
cb1946d
fix: small typo found in description
AnaisUrlichs Mar 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
381 changes: 381 additions & 0 deletions specs/compliance/aws-eks-cis-1.4.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,381 @@
spec:
id: eks-cis
title: AWS EKS CIS Foundations v1.4
description: AWS EKS CIS Foundations
version: "1.4"
relatedResources:
- https://www.cisecurity.org/benchmark/amazon_web_services
controls:
- id: 2.1.1
name: Enable audit Logs (Automated)
description: |
Control plane logs provide visibility into operation of the EKS Control plane components systems.
The API server audit logs record all accepted and rejected requests in the cluster.
When enabled via EKS configuration the control plane logs for a cluster are exported to a CloudWatch
Log Group for persistence.
checks: null
severity: MEDIUM
- id: 3.1.1
name: Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Manual)
description: |
If kubelet is running, and if it is configured by a kubeconfig file, ensure that the proxy kubeconfig
file has permissions of 644 or more restrictive

Check with the following command:
> sudo systemctl status kubelet
checks: null
severity: HIGH
- id: 3.1.2
name: Ensure that the kubelet service file ownership is set to root:root (Manual)
description: Ensure that the kubelet service file ownership is set to root:root
checks:
- id: AVD-KCV-0070
severity: HIGH
- id: 3.1.3
name: Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Manual)
description: |
Ensure that if the kubelet refers to a configuration file with the
--config argument, that file has permissions of 600 or more restrictive
checks:
- id: AVD-KCV-0077
severity: HIGH
- id: 3.1.4
name: Ensure that the kubelet configuration file ownership is set to root:root (Manual)
description: |
Ensure that if the kubelet refers to a configuration file with the
--config argument, that file is owned by root:root
checks:
- id: AVD-KCV-0078
severity: HIGH
- id: 3.2.1
name: Ensure that the Anonymous Auth is Not Enabled (Automated)
description: Disable anonymous requests to the Kubelet server.
checks:
- id: AVD-KCV-0079
severity: CRITICAL
- id: 3.2.2
name: Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
description: Do not allow all requests. Enable explicit authorization.
checks:
- id: AVD-KCV-0007
severity: LOW
- id: 3.2.3
name: Ensure that a Client CA File is Configured (Automated)
description: Enable Kubelet authentication using certificates.
checks:
- id: AVD-KCV-0081
severity: CRITICAL
- id: 3.2.4
name: Ensure that the --read-only-port is disabled (Manual)
description: |
The Kubelet process provides a read-only API in addition to the main Kubelet API.
Unauthenticated access is provided to this read-only API which could possibly retrieve
potentially sensitive information about the cluster.
checks:
- id: AVD-KCV-0082
severity: HIGH
- id: 3.2.5
name: Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Automated)
description: Do not disable timeouts on streaming connections.
checks:
- id: AVD-KCV-0085
severity: HIGH
- id: 3.2.6
name: Ensure that the --make-iptables-util-chains argument is set to true (Automated)
description: Allow Kubelet to manage iptables.
checks:
- id: AVD-KCV-0084
severity: HIGH
- id: 3.2.7
name: Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture (Automated)
description: |
Security relevant information should be captured. The eventRecordQPS on the Kubelet
configuration can be used to limit the rate at which events are gathered and sets the
maximum event creations per second. Setting this too low could result in relevant
events not being logged, however the unlimited setting of 0 could result in a denial of
service on the kubelet.
checks: null
severity: HIGH
- id: 3.2.8
name: Ensure that the --rotate-certificates argument is not present or is set to true (Manual)
description: Enable kubelet client certificate rotation.
checks:
- id: AVD-KCV-0090
severity: CRITICAL
- id: 3.2.9
name: Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)
description: Enable kubelet server certificate rotation.
checks:
- id: AVD-KCV-0091
- id: AVD-KCV-0038
severity: CRITICAL
- id: 3.3.1
name: Prefer using a container-optimized OS when possible (Manual)
description: |
If a container-optimized OS is required examine the nodes in EC2 and click on their AMI
to ensure that it is a container-optimized OS like Amazon Bottlerocket; or connect to the
worker node and check its OS.
checks: null
severity: HIGH
- id: 4.1.1
name: Ensure that the cluster-admin role is only used where required (Manual)
description: |
The RBAC role cluster-admin provides wide-ranging powers over the environment and
should be used only where and when needed.
checks:
- id: AVD-KSV-0111
severity: HIGH
- id: 4.1.2
name: Minimize access to secrets (Manual)
description: |
The Kubernetes API stores secrets, which may be service account tokens for the
Kubernetes API or credentials used by workloads in the cluster. Access to these secrets
should be restricted to the smallest possible group of users to reduce the risk of
privilege escalation.
checks:
- id: AVD-KSV-0041
severity: HIGH
- id: 4.1.3
name: Minimize wildcard use in Roles and ClusterRoles (Automated)
description: |
Kubernetes Roles and ClusterRoles provide access to resources based on sets of
objects and actions that can be taken on those objects. It is possible to set either of
these to be the wildcard "*" which matches all items.
Use of wildcards is not optimal from a security perspective as it may allow for
inadvertent access to be granted when new resources are added to the Kubernetes API
either as CRDs or in later versions of the product.
checks:
- id: AVD-KSV-0044
- id: AVD-KSV-0045
- id: AVD-KSV-0046
severity: HIGH
- id: 4.1.4
name: Minimize access to create pods (Manual)
description: |
The ability to create pods in a namespace can provide a number of opportunities for
privilege escalation, such as assigning privileged service accounts to these pods or
mounting hostPaths with access to sensitive data (unless Pod Security Policies are
implemented to restrict this access)
As such, access to create new pods should be restricted to the smallest possible group
of users.
checks: null
severity: HIGH
- id: 4.1.5
name: Ensure that default service accounts are not actively used. (Manual)
description: The default service account should not be used to ensure that rights granted to
applications can be more easily audited and reviewed.
checks: null
severity: HIGH
- id: 4.1.6
name: Ensure that Service Account Tokens are only mounted where necessary (Manual)
description: |
Service accounts tokens should not be mounted in pods except where the workload
running in the pod explicitly needs to communicate with the API server
checks: null
severity: HIGH
- id: 4.1.7
name: Avoid use of system:masters group (Manual)
description: |
The special group system:masters should not be used to grant permissions to any user
or service account, except where strictly necessary (e.g. bootstrapping access prior to
RBAC being fully available)
checks: null
severity: CRITICAL
- id: 4.1.8
name: Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)
description: |
The special group system:masters should not be used to grant permissions to any user
or service account, except where strictly necessary (e.g. bootstrapping access prior to
RBAC being fully available)
checks: null
severity: CRITICAL
- id: 4.2.1
name: Minimize the admission of privileged containers (Manual)
description: Do not generally permit containers to be run with the securityContext.privileged flag set to true.
checks:
- id: AVD-KSV-0017
severity: HIGH
AnaisUrlichs marked this conversation as resolved.
Show resolved Hide resolved
- id: 4.2.2
name: Minimize the admission of containers wishing to share the host process ID namespace (Manual)
description: Do not generally permit containers to be run with the hostPID flag set to true.
checks:
- id: AVD-KSV-0010
Comment on lines +199 to +202
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check is marked as manual however it has automatic checks

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah that is part of the name in the CIS benchmarks... I guess in our case since we have automated it, I should remove it

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated it on multiple locations

severity: HIGH
- id: 4.2.3
name: Minimize the admission of containers wishing to share the host IPC namespace (Manual)
description: Do not generally permit containers to be run with the hostIPC flag set to true.
checks:
- id: AVD-KSV-0008
AnaisUrlichs marked this conversation as resolved.
Show resolved Hide resolved
severity: HIGH
- id: 4.2.4
name: Minimize the admission of containers wishing to share the host network namespace (Manual)
description: Do not generally permit containers to be run with the hostNetwork flag set to true.
checks:
- id: AVD-KSV-0009
AnaisUrlichs marked this conversation as resolved.
Show resolved Hide resolved
severity: HIGH
- id: 4.2.5
name: Minimize the admission of containers with allowPrivilegeEscalation (Manual)
description: |
Do not generally permit containers to be run with the allowPrivilegeEscalation flag set
to true. Allowing this right can lead to a process running a container getting more rights
than it started with.
checks:
- id: AVD-KSV-0001
AnaisUrlichs marked this conversation as resolved.
Show resolved Hide resolved
severity: HIGH
- id: 4.2.6
name: Minimize the admission of root containers (Manual)
description: Do not generally permit containers to be run as the root user.
checks:
- id: AVD-KSV-0012
AnaisUrlichs marked this conversation as resolved.
Show resolved Hide resolved
severity: MEDIUM
- id: 4.2.7
name: Minimize the admission of containers with added capabilities (Manual)
description: Do not generally permit containers with capabilities assigned beyond the default set.
checks:
- id: AVD-KSV-0004
severity: LOW
AnaisUrlichs marked this conversation as resolved.
Show resolved Hide resolved
- id: 4.2.8
name: Minimize the admission of containers with capabilities assigned (Manual)
description: Do not generally permit containers with capabilities
checks:
- id: AVD-KSV-0103
- id: AVD-KSV-0003
AnaisUrlichs marked this conversation as resolved.
Show resolved Hide resolved
severity: MEDIUM
- id: 4.3.1
name: Ensure CNI plugin supports network policies (Manual)
description: |
There are a variety of CNI plugins available for Kubernetes. If the CNI in use does not
support Network Policies it may not be possible to effectively restrict traffic in the
cluster
checks: null
severity: MEDIUM
- id: 4.3.2
name: Ensure that all Namespaces have Network Policies defined (Manual)
description: Use network policies to isolate traffic in your cluster network.
checks:
- id: AVD-KSV-0038
severity: MEDIUM
- id: 4.4.1
name: Prefer using secrets as files over secrets as environment variables (Manual)
description: |
Kubernetes supports mounting secrets as data volumes or as environment variables.
Minimize the use of environment variable secrets.
checks: null
severity: MEDIUM
- id: 4.4.2
name: Consider external secret storage (Manual)
description: |
Consider the use of an external secrets storage and management system, instead of
using Kubernetes Secrets directly, if you have more complex secret management
needs. Ensure the solution requires authentication to access secrets, has auditing of
access to and use of secrets, and encrypts secrets. Some solutions also make it easier
to rotate secrets
checks: null
severity: MEDIUM
- id: 4.5.1
name: Create administrative boundaries between resources using namespaces (Manual)
description: Use namespaces to isolate your Kubernetes objects.
checks: null
severity: MEDIUM
- id: 4.5.2
name: Apply Security Context to Your Pods and Containers (Manual)
description: Apply Security Context to Your Pods and Containers
checks:
- id: AVD-KSV-0021
- id: AVD-KSV-0020
- id: AVD-KSV-0005
- id: AVD-KSV-0025
- id: AVD-KSV-0104
- id: AVD-KSV-0030
Comment on lines +281 to +289
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check is marked as manual however it has automatic checks

severity: HIGH
- id: 4.5.3
name: The default namespace should not be used (Manual)
description: |
Kubernetes provides a default namespace, where objects are placed if no namespace
is specified for them. Placing objects in this namespace makes application of RBAC and
other controls more difficult.
checks:
- id: AVD-KSV-0110
severity: MEDIUM
- id: 5.1.1
name: Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider (Automated)
description: Scan images being deployed to Amazon EKS for vulnerabilities.
checks: null
severity: MEDIUM
- id: 5.1.2
name: Minimize user access to Amazon ECR (Manual)
description: Restrict user access to Amazon ECR, limiting interaction with build images to only authorized
personnel and service accounts.
checks: null
severity: MEDIUM
- id: 5.1.3
name: Minimize cluster access to read-only for Amazon ECR (Manual)
description: |
Configure the Cluster Service Account with Storage Object Viewer Role to only allow
read-only access to Amazon ECR
checks: null
severity: MEDIUM
- id: 5.1.4
name: Minimize Container Registries to only those approved (Manual)
description: Use approved container registries.
checks: null
severity: MEDIUM
- id: 5.2.1
name: Prefer using dedicated EKS Service Accounts (Manual)
description: |
Kubernetes workloads should not use cluster node service accounts to authenticate to
Amazon EKS APIs. Each Kubernetes workload that needs to authenticate to other AWS
services using AWS IAM should be provisioned with a dedicated Service account.
checks: null
severity: MEDIUM
- id: 5.3.1
name: Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS (Manual)
description: Encrypt Kubernetes secrets, stored in etcd, using secrets encryption feature during Amazon EKS cluster creation.
checks: null
severity: MEDIUM
- id: 5.4.1
name: Restrict Access to the Control Plane Endpoint (Automated)
description: Enable Endpoint Private Access to restrict access to the cluster's control plane to only an allowlist of authorized IPs
checks: null
severity: MEDIUM
- id: 5.4.2
name: Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Automated)
description: Disable access to the Kubernetes API from outside the node network if it is not required.
checks: null
severity: MEDIUM
- id: 5.4.3
name: Ensure clusters are created with Private Nodes (Automated)
description: Disable public IP addresses for cluster nodes, so that they only have private IP addresses.
Private Nodes are nodes with no public IP addresses.
checks: null
severity: MEDIUM
- id: 5.4.4
name: Ensure Network Policy is Enabled and set as appropriate (Automated)
description: |
Amazon EKS provides two ways to implement network policy. You choose a network
policy option when you create an EKS cluster. The policy option can't be changed after the cluster is created:
Calico Network Policies, an open-source network and network
security solution founded by Tigera. Both implementations use Linux IPTables to
enforce the specified policies. Policies are translated into sets of allowed and disallowed
IP pairs. These pairs are then programmed as IPTable filter rules
checks: null
severity: MEDIUM
- id: 5.4.5
name: Encrypt traffic to HTTPS load balancers with TLS certificates (Manual)
description: Encrypt traffic to HTTPS load balancers using TLS certificates.
checks: null
severity: MEDIUM
- id: 5.5.1
name: Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes or Upgrade to AWS CLI v1.16.156 or greater (Manual)
description: |
Amazon EKS uses IAM to provide authentication to your Kubernetes cluster through the
AWS IAM Authenticator for Kubernetes. You can configure the stock kubectl client to
work with Amazon EKS by installing the AWS IAM Authenticator for Kubernetes and
modifying your kubectl configuration file to use it for authentication
checks: null
severity: MEDIUM
- id: 5.6.1
name: Consider Fargate for running untrusted workloads (Manual)
description: It is Best Practice to restrict or fence untrusted workloads when running in a multi-tenant environment.
checks: null
severity: MEDIUM