CIS Amazon EKS 1.1.0 | Lacework Documentation

📄️ 2.1.1

2.1.1 Enable audit Logs (Automated)

📄️ 3.1.1

3.1.1 Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Automated)

📄️ 3.1.2

3.1.2 Ensure that the kubelet kubeconfig file ownership is set to root:root (Automated)

📄️ 3.1.3

3.1.3 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Automated)

📄️ 3.1.4

3.1.4 Ensure that the kubelet configuration file ownership is set to root:root (Automated)

📄️ 3.2.1

3.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)

📄️ 3.2.2

3.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)

📄️ 3.2.3

3.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)

📄️ 3.2.4

3.2.4 Ensure that the --read-only-port is secured (Automated)

📄️ 3.2.5

3.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Automated)

📄️ 3.2.6

3.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)

📄️ 3.2.7

3.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)

📄️ 3.2.8

3.2.8 Ensure that the --hostname-override argument is not set (Automated)

📄️ 3.2.9

3.2.9 Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture (Manual)

📄️ 3.2.10

3.2.10 Ensure that the --rotate-certificates argument is not set to false (Automated)

📄️ 3.2.11

3.2.11 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)

📄️ 3.3.1

3.3.1 Prefer using Container-Optimized OS when possible (Manual)

📄️ 4.1.1

4.1.1 Ensure that the cluster-admin role is only used where required (Automated)

📄️ 4.1.2

This rule also encompasses lacework-global-662. See Adjusted Rules for CIS Amazon EKS 1.1.0 for further details.

📄️ 4.1.3

This rule also encompasses lacework-global-663. See Adjusted Rules for CIS Amazon EKS 1.1.0 for further details.

📄️ 4.1.4

This rule also encompasses lacework-global-664. See Adjusted Rules for CIS Amazon EKS 1.1.0 for further details.

📄️ 4.1.5

This rule also encompasses lacework-global-665 and lacework-global-666. See Adjusted Rules for CIS Amazon EKS 1.1.0 for further details.

📄️ 4.1.6

4.1.6 Ensure that Service Account Tokens are only mounted where necessary (Automated)

📄️ 4.2.1

4.2.1 Minimize the execution of privileged container workloads (Automated)

📄️ 4.2.2

4.2.2 Minimize the execution of container workloads sharing the host process ID namespace (Automated)

📄️ 4.2.3

4.2.3 Minimize the execution of container workloads sharing the host IPC namespace (Automated)

📄️ 4.2.4

4.2.4 Minimize the execution of container workloads sharing the host network namespace (Automated)

📄️ 4.2.5

4.2.5 Minimize the execution of container workloads that can escalate their privileges above those of their parent process (Automated)

📄️ 4.2.6

4.2.6 Minimize the execution of container workloads running as the root user (Automated)

📄️ 4.2.7

4.2.7 Minimize the execution of container workloads with the NET_RAW capability (Automated)

📄️ 4.2.8

4.2.8 Minimize the execution of container workloads with added capabilities (Automated)

📄️ 4.2.9

4.2.9 Minimize the admission of containers with capabilities assigned (Manual)

📄️ 4.3.1

4.3.1 Ensure latest CNI version is used (Manual)

📄️ 4.3.2

4.3.2 Ensure that all Namespaces have Network Policies defined (Manual)

📄️ 4.4.1

4.4.1 Prefer using secrets as files over secrets as environment variables (Manual)

📄️ 4.4.2

4.4.2 Consider external secret storage (Manual)

📄️ 4.6.1

4.6.1 Create administrative boundaries between resources using namespaces (Manual)

📄️ 4.6.2

4.6.2 Apply Security Context to Your Pods and Containers (Manual)

📄️ 4.6.3

4.6.3 The default namespace should not be used (Automated)

📄️ 5.1.1

5.1.1 Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider (Manual)

📄️ 5.1.2

5.1.2 Minimize user access to Amazon ECR (Manual)

📄️ 5.1.3

5.1.3 Minimize cluster access to read-only for Amazon ECR (Manual)

📄️ 5.1.4

5.1.4 Minimize Container Registries to only those approved (Automated)

📄️ 5.2.1

5.2.1 Prefer using managed identities for workloads (Manual)

📄️ 5.3.1

5.3.1 Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS (Automated)

📄️ 5.4.1

5.4.1 Restrict Access to the Control Plane Endpoint (Automated)

📄️ 5.4.2

5.4.2 Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Automated)

📄️ 5.4.3

5.4.3 Ensure clusters are created with Private Nodes (Manual)

📄️ 5.4.4

5.4.4 Ensure Network Policy is Enabled and set as appropriate (Manual)

📄️ 5.4.5

5.4.5 Encrypt traffic to HTTPS load balancers with TLS certificates (Manual)

📄️ 5.5.1

5.5.1 Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes (Manual)

📄️ 5.6.1

5.6.1 Consider Fargate for running untrusted workloads (Manual)