Skip to main content

CIS Amazon Elastic Kubernetes Service (EKS) 1.1.0 Benchmark Report

Visibility and Usage in the Lacework Console

You can use the CIS Amazon EKS 1.1.0 benchmark in the following ways:

Prerequisites

This topic describes how to integrate your Amazon Elastic Kubernetes Service (EKS) with the Lacework Compliance platform. Completing this will prepare your environment for the CIS Amazon EKS 1.1.0 benchmark:

CIS Amazon EKS 1.1.0 Benchmark Policies

All policies in the CIS Amazon EKS 1.1.0 benchmark are enabled by default.

You can enable or disable them using one of the following methods outlined in this section.

Enable or Disable Policies through the Lacework Console

On the Policies page, use the framework:cis-eks-1-1-0 tag to filter for CIS Amazon EKS 1.1.0 policies only. You can enable or disable each one using the status policy-status-toggle.png toggle.

note

Manual policies do not have a status toggle as there is no functional check to enable.

Bulk Enable or Disable CIS Amazon EKS 1.1.0 Policies through the Lacework CLI

Enable or Disable all the CIS Amazon EKS 1.1.0 policies using the following commands in the Lacework CLI:

Enable all policies
lacework policy enable --tag framework:cis-eks-1-1-0
Disable all policies
lacework policy disable --tag framework:cis-eks-1-1-0
tip

If you have not set up the Lacework CLI before, see the Lacework CLI guide to get started.

Automated vs Manual Rules

Lacework automates compliance rules where possible. For some benchmark rules, it is not possible to automate the rule checks in an AWS environment. These rules are called manual rules. You must verify such rules manually.

Automated Rules (that were deemed manual)

In some cases, Lacework is able to automate certain CIS Amazon EKS 1.1.0 benchmark rules that were deemed as manual by CIS. The following table outlines these rules:

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID(s)Title
2.1.1lacework-global-315Enable audit Logs
3.1.1lacework-global-316Ensure that the kubeconfig file permissions are set to 644 or more restrictive
3.1.2lacework-global-317Ensure that the kubelet kubeconfig file ownership is set to root:root
3.1.3lacework-global-318Ensure that the kubelet configuration file has permissions set to 644 or more restrictive
3.1.4lacework-global-319Ensure that the kubelet configuration file ownership is set to root:root
3.2.3lacework-global-322Ensure that the --client-ca-file argument is set as appropriate
3.2.4lacework-global-323Ensure that the --read-only-port is secured
3.2.5lacework-global-324Ensure that the --streaming-connection-idle-timeout argument is not set to 0
3.2.8lacework-global-327Ensure that the --hostname-override argument is not set
3.2.10lacework-global-329Ensure that the --rotate-certificates argument is not set to false
3.2.11lacework-global-330Ensure that the RotateKubeletServerCertificate argument is set to true
4.1.1lacework-global-331Ensure that the cluster-admin role is only used where required
4.1.2lacework-global-332
lacework-global-662
Minimize access to secrets
4.1.3lacework-global-333
lacework-global-663
Minimize wildcard use in Roles and ClusterRoles
4.1.4lacework-global-334
lacework-global-664
Minimize access to create pods
4.1.5lacework-global-335
lacework-global-665
lacework-global-666
Ensure that default service accounts are not actively used
4.1.6lacework-global-336Ensure that Service Account Tokens are only mounted where necessary
4.2.8lacework-global-655Minimize the admission of containers with added capabilities
4.6.3lacework-global-352The default namespace should not be used
5.1.4lacework-global-356Minimize Container Registries to only those approved
5.3.1lacework-global-358Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS
5.4.1lacework-global-359Restrict Access to the Control Plane Endpoint
5.4.2lacework-global-360Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled

Adjusted Rules

4.1.2 Minimize access to secrets

This rule has been split into two different policies to monitor ClusterRoleBindings and RoleBindings separately.

The table below outlines each rule and their new title:

CIS Amazon EKS 1.1.0 Rule IDLacework Policy IDTitle
4.1.2lacework-global-332Minimize access to secrets in ClusterRoleBindings.
4.1.2lacework-global-662Minimize access to secrets in RoleBindings.
note

The policy catalog only retains one entry for this rule, which is lacework-global-332.

4.1.3 Minimize wildcard use in Roles and ClusterRoles

This rule has been split into two different policies to monitor ClusterRoles and Roles separately.

The table below outlines each rule and their new title:

CIS Amazon EKS 1.1.0 Rule IDLacework Policy IDTitle
4.1.3lacework-global-333Minimize wildcard use in ClusterRoles.
4.1.3lacework-global-663Minimize wildcard use in Roles.
note

The policy catalog only retains one entry for this rule, which is lacework-global-333.

4.1.4 Minimize access to create pods

This rule has been split into two different policies to monitor ClusterRoles and Roles separately.

The table below outlines each rule and their new title:

CIS Amazon EKS 1.1.0 Rule IDLacework Policy IDTitle
4.1.4lacework-global-334Minimize access to create pods in ClusterRoles.
4.1.4lacework-global-664Minimize access to create pods in Roles.
note

The policy catalog only retains one entry for this rule, which is lacework-global-334.

4.1.5 Ensure that default service accounts are not actively used

This rule has been split into three different policies to monitor the following separately:

  1. Default service accounts in ClusterRoles.
  2. Default service accounts in Roles.
  3. Kubernetes API access tokens mounted on default service accounts.

The table below outlines each rule and their new title:

CIS Amazon EKS 1.1.0 Rule IDLacework Policy IDTitle
4.1.5lacework-global-335Ensure that default service accounts are not actively used in ClusterRoles.
4.1.5lacework-global-665Ensure that default service accounts are not actively used in Roles.
4.1.5lacework-global-666Ensure that default service accounts are not automatically mounting their Kubernetes API access token.
note

The policy catalog only retains one entry for this rule, which is lacework-global-335.

4.2.1 - 4.2.8 Pod Security Policies

The original CIS Amazon EKS 1.1.0 policies for Pod Security are now deprecated. To help provide effective coverage, Lacework has designed supplementary policies for the detection and remediation of pods that have been configured insecurely.

The following table lists the CIS policies (that are disabled by default) and the corresponding Lacework supplementary policies for Pod Security:

CIS Amazon EKS 1.1.0 Rule IDDisabled CIS PolicySupplementary Lacework Policy
4.2.1lacework-global-337lacework-global-648
4.2.2lacework-global-338lacework-global-649
4.2.3lacework-global-339lacework-global-650
4.2.4lacework-global-340lacework-global-651
4.2.5lacework-global-341lacework-global-652
4.2.6lacework-global-342lacework-global-653
4.2.7lacework-global-343lacework-global-654
4.2.8lacework-global-344lacework-global-655
note

There is no supplementary policy for 4.2.9 as it is a manual rule.

Excluded Resources during 4.2.1 - 4.2.8 Policy Assessments

The Lacework Agent and workloads in the kube-system namespace are excluded during these policy assessments.

The Lacework Agent requires privileged access in order to enable monitoring for workload security. The kube-system namespace is used by the Kubernetes system and requires significant permissions to function effectively.

Policy Mapping for CIS Amazon EKS 1.1.0

The CIS Amazon EKS 1.1.0 rules are mapped to Lacework global policies. See the following sections for the mappings used.

1. Control Plane Components

This section is not applicable for managed Kubernetes clusters, therefore, it contains no rules.

2. Control Plane Configuration

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
2.1.1lacework-global-315

3. Worker Nodes

3.1 Worker Node Configuration Files

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
3.1.1lacework-global-316
3.1.2lacework-global-317
3.1.3lacework-global-318
3.1.4lacework-global-319

3.2 Kubelet

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
3.2.1lacework-global-320
3.2.2lacework-global-321
3.2.3lacework-global-322
3.2.4lacework-global-323
3.2.5lacework-global-324
3.2.6lacework-global-325
3.2.7lacework-global-326
3.2.8lacework-global-327
3.2.9lacework-global-328
3.2.10lacework-global-329
3.2.11lacework-global-330

3.3 Container Optimized OS

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
3.3.1lacework-global-366

4. Policies

4.1 RBAC and Service Accounts

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
4.1.1lacework-global-331
4.1.2lacework-global-332 (ClusterRoleBindings)
lacework-global-662 (RoleBindings)
4.1.3lacework-global-333 (ClusterRoles)
lacework-global-663 (Roles)
4.1.4lacework-global-334 (ClusterRoles)
lacework-global-664 (Roles)
4.1.5lacework-global-335 (ClusterRoles)
lacework-global-665 (Roles)
lacework-global-666 (Kubernetes API access tokens)
4.1.6lacework-global-336

4.2 Pod Security Policies

note

See Adjusted Rules for details on changes to these policies.

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
4.2.1lacework-global-648
4.2.2lacework-global-649
4.2.3lacework-global-650
4.2.4lacework-global-651
4.2.5lacework-global-652
4.2.6lacework-global-653
4.2.7lacework-global-654
4.2.8lacework-global-655
4.2.9lacework-global-345

4.3 CNI Plugin

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
4.3.1lacework-global-346
4.3.2lacework-global-347

4.4 Secrets Management

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
4.4.1lacework-global-348
4.4.2lacework-global-349

4.5 Extensible Admission Control

N/A

4.6 General Policies

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
4.6.1lacework-global-350
4.6.2lacework-global-351
4.6.3lacework-global-352

5. Managed Services

5.1 Image Registry and Image Scanning

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
5.1.1lacework-global-353
5.1.2lacework-global-354
5.1.3lacework-global-355
5.1.4lacework-global-356

5.2 Identity and Access Management (IAM)

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
5.2.1lacework-global-357

5.3 AWS EKS Key Management Service

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
5.3.1lacework-global-358

5.4 Cluster Networking

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
5.4.1lacework-global-359
5.4.2lacework-global-360
5.4.3lacework-global-361
5.4.4lacework-global-362
5.4.5lacework-global-363

5.5 Authentication and Authorization

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
5.5.1lacework-global-364

5.6 Other Cluster Configurations

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
5.6.1lacework-global-365