📄️ 2.1.1
2.1.1 Enable audit Logs (Automated)
📄️ 3.1.1
3.1.1 Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Automated)
📄️ 3.1.2
3.1.2 Ensure that the kubelet kubeconfig file ownership is set to root:root (Automated)
📄️ 3.1.3
3.1.3 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Automated)
📄️ 3.1.4
3.1.4 Ensure that the kubelet configuration file ownership is set to root:root (Automated)
📄️ 3.2.1
3.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)
📄️ 3.2.2
3.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
📄️ 3.2.3
3.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)
📄️ 3.2.4
3.2.4 Ensure that the --read-only-port is secured (Automated)
📄️ 3.2.5
3.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Automated)
📄️ 3.2.6
3.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)
📄️ 3.2.7
3.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)
📄️ 3.2.8
3.2.8 Ensure that the --hostname-override argument is not set (Automated)
📄️ 3.2.9
3.2.9 Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture (Manual)
📄️ 3.2.10
3.2.10 Ensure that the --rotate-certificates argument is not set to false (Automated)
📄️ 3.2.11
3.2.11 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)
📄️ 3.3.1
3.3.1 Prefer using Container-Optimized OS when possible (Manual)
📄️ 4.1.1
4.1.1 Ensure that the cluster-admin role is only used where required (Automated)
📄️ 4.1.2
This rule also encompasses lacework-global-662. See Adjusted Rules for CIS Amazon EKS 1.1.0 for further details.
📄️ 4.1.3
This rule also encompasses lacework-global-663. See Adjusted Rules for CIS Amazon EKS 1.1.0 for further details.
📄️ 4.1.4
This rule also encompasses lacework-global-664. See Adjusted Rules for CIS Amazon EKS 1.1.0 for further details.
📄️ 4.1.5
This rule also encompasses lacework-global-665 and lacework-global-666. See Adjusted Rules for CIS Amazon EKS 1.1.0 for further details.
📄️ 4.1.6
4.1.6 Ensure that Service Account Tokens are only mounted where necessary (Automated)
📄️ 4.2.1
4.2.1 Minimize the execution of privileged container workloads (Automated)
📄️ 4.2.2
4.2.2 Minimize the execution of container workloads sharing the host process ID namespace (Automated)
📄️ 4.2.3
4.2.3 Minimize the execution of container workloads sharing the host IPC namespace (Automated)
📄️ 4.2.4
4.2.4 Minimize the execution of container workloads sharing the host network namespace (Automated)
📄️ 4.2.5
4.2.5 Minimize the execution of container workloads that can escalate their privileges above those of their parent process (Automated)
📄️ 4.2.6
4.2.6 Minimize the execution of container workloads running as the root user (Automated)
📄️ 4.2.7
4.2.7 Minimize the execution of container workloads with the NET_RAW capability (Automated)
📄️ 4.2.8
4.2.8 Minimize the execution of container workloads with added capabilities (Automated)
📄️ 4.2.9
4.2.9 Minimize the admission of containers with capabilities assigned (Manual)
📄️ 4.3.1
4.3.1 Ensure latest CNI version is used (Manual)
📄️ 4.3.2
4.3.2 Ensure that all Namespaces have Network Policies defined (Manual)
📄️ 4.4.1
4.4.1 Prefer using secrets as files over secrets as environment variables (Manual)
📄️ 4.4.2
4.4.2 Consider external secret storage (Manual)
📄️ 4.6.1
4.6.1 Create administrative boundaries between resources using namespaces (Manual)
📄️ 4.6.2
4.6.2 Apply Security Context to Your Pods and Containers (Manual)
📄️ 4.6.3
4.6.3 The default namespace should not be used (Automated)
📄️ 5.1.1
5.1.1 Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider (Manual)
📄️ 5.1.2
5.1.2 Minimize user access to Amazon ECR (Manual)
📄️ 5.1.3
5.1.3 Minimize cluster access to read-only for Amazon ECR (Manual)
📄️ 5.1.4
5.1.4 Minimize Container Registries to only those approved (Automated)
📄️ 5.2.1
5.2.1 Prefer using managed identities for workloads (Manual)
📄️ 5.3.1
5.3.1 Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS (Automated)
📄️ 5.4.1
5.4.1 Restrict Access to the Control Plane Endpoint (Automated)
📄️ 5.4.2
5.4.2 Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Automated)
📄️ 5.4.3
5.4.3 Ensure clusters are created with Private Nodes (Manual)
📄️ 5.4.4
5.4.4 Ensure Network Policy is Enabled and set as appropriate (Manual)
📄️ 5.4.5
5.4.5 Encrypt traffic to HTTPS load balancers with TLS certificates (Manual)
📄️ 5.5.1
5.5.1 Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes (Manual)
📄️ 5.6.1
5.6.1 Consider Fargate for running untrusted workloads (Manual)