More Info:

Your Amazon EKS cluster API server endpoints should not be publicly accessible from the Internet in order to avoid exposing private data and minimizing security risks. The level of access to your Kubernetes API server endpoints depends on your EKS application use cases. It is recommended that the API server endpoints should be accessible only from within your AWS VPC.

Risk Level

Low

Address

Security

Compliance Standards

HITRUST, CISEKS, SOC2, NISTCSF, PCIDSS

Remediation

Using Console

Sure, here are the step-by-step instructions on how to remediate the “Endpoints Should Not Be Publicly Accessible” misconfiguration in AWS using the AWS console:

  1. Log in to the AWS Management Console.
  2. Go to the Amazon VPC service.
  3. Click on “Endpoints” in the left navigation pane.
  4. Select the endpoint that you want to remediate.
  5. Click on the “Actions” button and select “Modify Endpoint”.
  6. In the “Modify Endpoint” dialog box, select the “Private” option for the endpoint.
  7. Click “Save Changes” to apply the changes.

After following these steps, the endpoint will no longer be publicly accessible and will only be accessible through the VPC.

Using CLI

To remediate this misconfiguration in AWS using AWS CLI, follow these steps:

  1. Open the AWS CLI on your local machine.

  2. Run the following command to list all VPC endpoints in your AWS account:

aws ec2 describe-vpc-endpoints

  1. Identify the VPC endpoint that is publicly accessible.

  2. Run the following command to modify the VPC endpoint to make it not publicly accessible:

aws ec2 modify-vpc-endpoint --vpc-endpoint-id <VPC_ENDPOINT_ID> --no-public-dns-enabled --policy-document '{"Statement":[{"Effect":"Deny","Principal":"*","Action":"*","Resource":"*"}],"Version":"2012-10-17"}'

Replace <VPC_ENDPOINT_ID> with the ID of the VPC endpoint that you identified in step 3.

  1. Verify that the VPC endpoint is no longer publicly accessible by running the following command:
aws ec2 describe-vpc-endpoints --vpc-endpoint-ids <VPC_ENDPOINT_ID>

This command should return an output that includes "PrivateDnsEnabled": true and "PolicyDocument": {"Statement": [{"Effect": "Deny", "Principal": "*", "Action": "*", "Resource": "*"}], "Version": "2012-10-17"} for the VPC endpoint that you modified.

  1. Repeat steps 3-5 for any other publicly accessible VPC endpoints in your AWS account.

Using Python

To remediate the misconfiguration “Endpoints Should Not Be Publicly Accessible” for AWS using Python, follow these steps:

  1. Identify the endpoints that are publicly accessible. You can use the AWS CLI command aws ec2 describe-security-groups to list all security groups and their associated rules.

  2. For each security group that has a rule allowing public access to an endpoint, you will need to remove the rule. You can use the AWS CLI command aws ec2 revoke-security-group-ingress to remove the rule.

  3. To automate this process using Python, you can use the Boto3 library, which is the AWS SDK for Python. Here is an example code snippet that will remove all rules allowing public access to endpoints for a specific security group:

import boto3

# Replace <security-group-id> with the actual ID of the security group
security_group_id = '<security-group-id>'

# Create an EC2 client
ec2 = boto3.client('ec2')

# Describe the security group to get its current rules
response = ec2.describe_security_groups(GroupIds=[security_group_id])
security_group = response['SecurityGroups'][0]

# Remove all rules allowing public access to endpoints
for rule in security_group['IpPermissions']:
    if rule['IpRanges'][0]['CidrIp'] == '0.0.0.0/0':
        ec2.revoke_security_group_ingress(
            GroupId=security_group_id,
            IpPermissions=[rule]
        )
  1. You can run this Python script as a Lambda function and schedule it to run periodically to ensure that any new endpoints that are publicly accessible are remediated automatically. You can also modify the script to remediate all security groups in your AWS account, not just a specific one.

Additional Reading: