Skip to main content

πŸ“ AWS EKS Cluster allows unrestricted public traffic 🟒

  • Contextual name: πŸ“ Cluster allows unrestricted public traffic 🟒
  • ID: /ce/ca/aws/eks/cluster-allows-unrestricted-public-traffic
  • Located in: πŸ“ AWS EKS

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

  • Internal
    • dec-x-cffc7d8e

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-cffc7d8e1

Logic​

Description​

Open File

Description​

Ensure the AWS EKS Kubernetes API server endpoint is not exposed to unrestricted public access. This endpoint provides the interface to your cluster’s control plane; permitting open access allows any IP to initiate connections.

Rational​

Unrestricted public access expands your cluster’s attack surface. Threat actors could probe the API server for vulnerabilities, enumerate resources, or launch denial-of-service attacks.By limiting access to authorized CIDR ranges (e.g., corporate networks, VPN gateways, or designated CI/CD environments) you enforce the principle of least privilege and reduce the risk of unauthorized access and workloads compromise.

Impact​

When specifying approved CIDR blocks, include all addresses from which your worker nodes and (if applicable) Fargate pods will access the public endpoint. Omitting any required range may prevent legitimate cluster operations.

Audit​

This policy marks an AWS EKS Cluster as INCOMPLIANT when Endpoint Public Access is set to Enabled and Public Access CIDRs include 0.0.0.0/0

... see more

Remediation​

Open File

Remediation​

From Command Line​

Execute the following command to restrict your EKS API server endpoint to approved CIDR ranges and enable private endpoint access. {{publicAccessCidrs}} is a single CIDR or comma-separated list. Note that CIDR blocks must exclude reserved addresses.

If you rely solely on the public endpoint, you must include every egress IP used by your VPC (for example, the NAT Gateway’s public IP) in publicAccessCidrs. Enabling the private endpoint simplifies traffic flow for internal components and reduces the need to enumerate VPC egress addresses.

aws eks update-cluster-config \
    --region {{region-code}} \
    --name {{cluster-name}} \
    --resources-vpc-config endpointPublicAccess=true,publicAccessCidrs="{{publicAccessCidrs}}",endpointPrivateAccess=true

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36d access management controls β€”only authorised users, software and hardware are able to access information assets (refer to Attachment B for further guidance);1415
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36e hardware and software asset controls β€”appropriate authorisation to prevent security compromises from unauthorised hardware and software assets;1617
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36f network design β€” to ensure authorised network traffic flows and to reduce the impact of security compromises;2729
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.3336
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Public and Anonymous Access71