CIS Amazon Elastic Kubernetes Service (EKS) 1.1.0 Benchmark Report
Visibility and Usage in the Lacework Console
You can use the CIS Amazon EKS 1.1.0 benchmark in the following ways:
- All CIS 1.1.0 benchmark rules are enabled or disabled through the Policies page (see Enable the CIS Amazon EKS 1.1.0 Benchmark).
- The Kubernetes Compliance Dashboard provides details for Kubernetes assessments, including the CIS Amazon EKS CIS 1.1.0 report.
Prerequisites
This topic describes how to integrate your Amazon Elastic Kubernetes Service (EKS) with the Lacework Compliance platform. Completing this will prepare your environment for the CIS Amazon EKS 1.1.0 benchmark:
CIS Amazon EKS 1.1.0 Benchmark Policies
All policies in the CIS Amazon EKS 1.1.0 benchmark are enabled by default.
You can enable or disable them using one of the following methods outlined in this section.
Enable or Disable Policies through the Lacework Console
On the Policies page, use the framework:cis-eks-1-1-0 tag to filter for CIS Amazon EKS 1.1.0 policies only. You can enable or disable each one using the status 
toggle.
note
Manual policies do not have a status toggle as there is no functional check to enable.
Bulk Enable or Disable CIS Amazon EKS 1.1.0 Policies through the Lacework CLI
Enable or Disable all the CIS Amazon EKS 1.1.0 policies using the following commands in the Lacework CLI:
lacework policy enable --tag framework:cis-eks-1-1-0
lacework policy disable --tag framework:cis-eks-1-1-0
tip
If you have not set up the Lacework CLI before, see the Lacework CLI guide to get started.
Automated vs Manual Rules
Lacework automates compliance rules where possible. For some benchmark rules, it is not possible to automate the rule checks in an AWS environment. These rules are called manual rules. You must verify such rules manually.
Automated Rules (that were deemed manual)
In some cases, Lacework is able to automate certain CIS Amazon EKS 1.1.0 benchmark rules that were deemed as manual by CIS. The following table outlines these rules:
| CIS Amazon EKS 1.1.0 Rule ID | Lacework Policy ID(s) | Title |
|---|---|---|
| 2.1.1 | lacework-global-315 | Enable audit Logs |
| 3.1.1 | lacework-global-316 | Ensure that the kubeconfig file permissions are set to 644 or more restrictive |
| 3.1.2 | lacework-global-317 | Ensure that the kubelet kubeconfig file ownership is set to root:root |
| 3.1.3 | lacework-global-318 | Ensure that the kubelet configuration file has permissions set to 644 or more restrictive |
| 3.1.4 | lacework-global-319 | Ensure that the kubelet configuration file ownership is set to root:root |
| 3.2.3 | lacework-global-322 | Ensure that the --client-ca-file argument is set as appropriate |
| 3.2.4 | lacework-global-323 | Ensure that the --read-only-port is secured |
| 3.2.5 | lacework-global-324 | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 |
| 3.2.8 | lacework-global-327 | Ensure that the --hostname-override argument is not set |
| 3.2.10 | lacework-global-329 | Ensure that the --rotate-certificates argument is not set to false |
| 3.2.11 | lacework-global-330 | Ensure that the RotateKubeletServerCertificate argument is set to true |
| 4.1.1 | lacework-global-331 | Ensure that the cluster-admin role is only used where required |
| 4.1.2 | lacework-global-332 lacework-global-662 | Minimize access to secrets |
| 4.1.3 | lacework-global-333 lacework-global-663 | Minimize wildcard use in Roles and ClusterRoles |
| 4.1.4 | lacework-global-334 lacework-global-664 | Minimize access to create pods |
| 4.1.5 | lacework-global-335 lacework-global-665 lacework-global-666 | Ensure that default service accounts are not actively used |
| 4.1.6 | lacework-global-336 | Ensure that Service Account Tokens are only mounted where necessary |
| 4.2.8 | lacework-global-655 | Minimize the admission of containers with added capabilities |
| 4.6.3 | lacework-global-352 | The default namespace should not be used |
| 5.1.4 | lacework-global-356 | Minimize Container Registries to only those approved |
| 5.3.1 | lacework-global-358 | Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS |
| 5.4.1 | lacework-global-359 | Restrict Access to the Control Plane Endpoint |
| 5.4.2 | lacework-global-360 | Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled |
Adjusted Rules
4.1.2 Minimize access to secrets
This rule has been split into two different policies to monitor ClusterRoleBindings and RoleBindings separately.
The table below outlines each rule and their new title:
| CIS Amazon EKS 1.1.0 Rule ID | Lacework Policy ID | Title |
|---|---|---|
| 4.1.2 | lacework-global-332 | Minimize access to secrets in ClusterRoleBindings. |
| 4.1.2 | lacework-global-662 | Minimize access to secrets in RoleBindings. |
note
The policy catalog only retains one entry for this rule, which is lacework-global-332.
4.1.3 Minimize wildcard use in Roles and ClusterRoles
This rule has been split into two different policies to monitor ClusterRoles and Roles separately.
The table below outlines each rule and their new title:
| CIS Amazon EKS 1.1.0 Rule ID | Lacework Policy ID | Title |
|---|---|---|
| 4.1.3 | lacework-global-333 | Minimize wildcard use in ClusterRoles. |
| 4.1.3 | lacework-global-663 | Minimize wildcard use in Roles. |
note
The policy catalog only retains one entry for this rule, which is lacework-global-333.
4.1.4 Minimize access to create pods
This rule has been split into two different policies to monitor ClusterRoles and Roles separately.
The table below outlines each rule and their new title:
| CIS Amazon EKS 1.1.0 Rule ID | Lacework Policy ID | Title |
|---|---|---|
| 4.1.4 | lacework-global-334 | Minimize access to create pods in ClusterRoles. |
| 4.1.4 | lacework-global-664 | Minimize access to create pods in Roles. |
note
The policy catalog only retains one entry for this rule, which is lacework-global-334.
4.1.5 Ensure that default service accounts are not actively used
This rule has been split into three different policies to monitor the following separately:
- Default service accounts in ClusterRoles.
- Default service accounts in Roles.
- Kubernetes API access tokens mounted on default service accounts.
The table below outlines each rule and their new title:
| CIS Amazon EKS 1.1.0 Rule ID | Lacework Policy ID | Title |
|---|---|---|
| 4.1.5 | lacework-global-335 | Ensure that default service accounts are not actively used in ClusterRoles. |
| 4.1.5 | lacework-global-665 | Ensure that default service accounts are not actively used in Roles. |
| 4.1.5 | lacework-global-666 | Ensure that default service accounts are not automatically mounting their Kubernetes API access token. |
note
The policy catalog only retains one entry for this rule, which is lacework-global-335.
4.2.1 - 4.2.8 Pod Security Policies
The original CIS Amazon EKS 1.1.0 policies for Pod Security are now deprecated. To help provide effective coverage, Lacework has designed supplementary policies for the detection and remediation of pods that have been configured insecurely.
The following table lists the CIS policies (that are disabled by default) and the corresponding Lacework supplementary policies for Pod Security:
| CIS Amazon EKS 1.1.0 Rule ID | Disabled CIS Policy | Supplementary Lacework Policy |
|---|---|---|
| 4.2.1 | lacework-global-337 | lacework-global-648 |
| 4.2.2 | lacework-global-338 | lacework-global-649 |
| 4.2.3 | lacework-global-339 | lacework-global-650 |
| 4.2.4 | lacework-global-340 | lacework-global-651 |
| 4.2.5 | lacework-global-341 | lacework-global-652 |
| 4.2.6 | lacework-global-342 | lacework-global-653 |
| 4.2.7 | lacework-global-343 | lacework-global-654 |
| 4.2.8 | lacework-global-344 | lacework-global-655 |
note
There is no supplementary policy for 4.2.9 as it is a manual rule.
Excluded Resources during 4.2.1 - 4.2.8 Policy Assessments
The Lacework Agent and workloads in the kube-system namespace are excluded during these policy assessments.
The Lacework Agent requires privileged access in order to enable monitoring for workload security. The kube-system namespace is used by the Kubernetes system and requires significant permissions to function effectively.
Policy Mapping for CIS Amazon EKS 1.1.0
The CIS Amazon EKS 1.1.0 rules are mapped to Lacework global policies. See the following sections for the mappings used.
1. Control Plane Components
This section is not applicable for managed Kubernetes clusters, therefore, it contains no rules.
2. Control Plane Configuration
| CIS Amazon EKS 1.1.0 Rule ID | Lacework Policy ID |
|---|---|
| 2.1.1 | lacework-global-315 |
3. Worker Nodes
3.1 Worker Node Configuration Files
| CIS Amazon EKS 1.1.0 Rule ID | Lacework Policy ID |
|---|---|
| 3.1.1 | lacework-global-316 |
| 3.1.2 | lacework-global-317 |
| 3.1.3 | lacework-global-318 |
| 3.1.4 | lacework-global-319 |
3.2 Kubelet
| CIS Amazon EKS 1.1.0 Rule ID | Lacework Policy ID |
|---|---|
| 3.2.1 | lacework-global-320 |
| 3.2.2 | lacework-global-321 |
| 3.2.3 | lacework-global-322 |
| 3.2.4 | lacework-global-323 |
| 3.2.5 | lacework-global-324 |
| 3.2.6 | lacework-global-325 |
| 3.2.7 | lacework-global-326 |
| 3.2.8 | lacework-global-327 |
| 3.2.9 | lacework-global-328 |
| 3.2.10 | lacework-global-329 |
| 3.2.11 | lacework-global-330 |
3.3 Container Optimized OS
| CIS Amazon EKS 1.1.0 Rule ID | Lacework Policy ID |
|---|---|
| 3.3.1 | lacework-global-366 |
4. Policies
4.1 RBAC and Service Accounts
| CIS Amazon EKS 1.1.0 Rule ID | Lacework Policy ID |
|---|---|
| 4.1.1 | lacework-global-331 |
| 4.1.2 | lacework-global-332 (ClusterRoleBindings) lacework-global-662 (RoleBindings) |
| 4.1.3 | lacework-global-333 (ClusterRoles) lacework-global-663 (Roles) |
| 4.1.4 | lacework-global-334 (ClusterRoles) lacework-global-664 (Roles) |
| 4.1.5 | lacework-global-335 (ClusterRoles) lacework-global-665 (Roles) lacework-global-666 (Kubernetes API access tokens) |
| 4.1.6 | lacework-global-336 |
4.2 Pod Security Policies
note
See Adjusted Rules for details on changes to these policies.
| CIS Amazon EKS 1.1.0 Rule ID | Lacework Policy ID |
|---|---|
| 4.2.1 | lacework-global-648 |
| 4.2.2 | lacework-global-649 |
| 4.2.3 | lacework-global-650 |
| 4.2.4 | lacework-global-651 |
| 4.2.5 | lacework-global-652 |
| 4.2.6 | lacework-global-653 |
| 4.2.7 | lacework-global-654 |
| 4.2.8 | lacework-global-655 |
| 4.2.9 | lacework-global-345 |
4.3 CNI Plugin
| CIS Amazon EKS 1.1.0 Rule ID | Lacework Policy ID |
|---|---|
| 4.3.1 | lacework-global-346 |
| 4.3.2 | lacework-global-347 |
4.4 Secrets Management
| CIS Amazon EKS 1.1.0 Rule ID | Lacework Policy ID |
|---|---|
| 4.4.1 | lacework-global-348 |
| 4.4.2 | lacework-global-349 |
4.5 Extensible Admission Control
N/A
4.6 General Policies
| CIS Amazon EKS 1.1.0 Rule ID | Lacework Policy ID |
|---|---|
| 4.6.1 | lacework-global-350 |
| 4.6.2 | lacework-global-351 |
| 4.6.3 | lacework-global-352 |
5. Managed Services
5.1 Image Registry and Image Scanning
| CIS Amazon EKS 1.1.0 Rule ID | Lacework Policy ID |
|---|---|
| 5.1.1 | lacework-global-353 |
| 5.1.2 | lacework-global-354 |
| 5.1.3 | lacework-global-355 |
| 5.1.4 | lacework-global-356 |
5.2 Identity and Access Management (IAM)
| CIS Amazon EKS 1.1.0 Rule ID | Lacework Policy ID |
|---|---|
| 5.2.1 | lacework-global-357 |
5.3 AWS EKS Key Management Service
| CIS Amazon EKS 1.1.0 Rule ID | Lacework Policy ID |
|---|---|
| 5.3.1 | lacework-global-358 |
5.4 Cluster Networking
| CIS Amazon EKS 1.1.0 Rule ID | Lacework Policy ID |
|---|---|
| 5.4.1 | lacework-global-359 |
| 5.4.2 | lacework-global-360 |
| 5.4.3 | lacework-global-361 |
| 5.4.4 | lacework-global-362 |
| 5.4.5 | lacework-global-363 |
5.5 Authentication and Authorization
| CIS Amazon EKS 1.1.0 Rule ID | Lacework Policy ID |
|---|---|
| 5.5.1 | lacework-global-364 |
5.6 Other Cluster Configurations
| CIS Amazon EKS 1.1.0 Rule ID | Lacework Policy ID |
|---|---|
| 5.6.1 | lacework-global-365 |