Endpoints Should Not Be Publicly Accessible

More Info:

Your Amazon EKS cluster API server endpoints should not be publicly accessible from the Internet in order to avoid exposing private data and minimizing security risks. The level of access to your Kubernetes API server endpoints depends on your EKS application use cases. It is recommended that the API server endpoints should be accessible only from within your AWS VPC.

Risk Level

Low

Address

Security

Compliance Standards

HITRUST, CISEKS, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate this misconfiguration in AWS using AWS CLI, follow these steps:

Open the AWS CLI on your local machine.
Run the following command to list all VPC endpoints in your AWS account:

aws ec2 describe-vpc-endpoints

Identify the VPC endpoint that is publicly accessible.
Run the following command to modify the VPC endpoint to make it not publicly accessible:

aws ec2 modify-vpc-endpoint --vpc-endpoint-id <VPC_ENDPOINT_ID> --no-public-dns-enabled --policy-document '{"Statement":[{"Effect":"Deny","Principal":"*","Action":"*","Resource":"*"}],"Version":"2012-10-17"}'

Replace <VPC_ENDPOINT_ID> with the ID of the VPC endpoint that you identified in step 3.

Verify that the VPC endpoint is no longer publicly accessible by running the following command:

aws ec2 describe-vpc-endpoints --vpc-endpoint-ids <VPC_ENDPOINT_ID>

This command should return an output that includes "PrivateDnsEnabled": true and

"PolicyDocument": {"Statement": [{"Effect": "Deny", "Principal": "*", "Action": "*", "Resource": "*"}], "Version": "2012-10-17"}

for the VPC endpoint that you modified.

Repeat steps 3-5 for any other publicly accessible VPC endpoints in your AWS account.

Using Python

To remediate the misconfiguration “Endpoints Should Not Be Publicly Accessible” for AWS using Python, follow these steps:

Identify the endpoints that are publicly accessible. You can use the AWS CLI command aws ec2 describe-security-groups to list all security groups and their associated rules.
For each security group that has a rule allowing public access to an endpoint, you will need to remove the rule. You can use the AWS CLI command aws ec2 revoke-security-group-ingress to remove the rule.
To automate this process using Python, you can use the Boto3 library, which is the AWS SDK for Python. Here is an example code snippet that will remove all rules allowing public access to endpoints for a specific security group:

import boto3

# Replace <security-group-id> with the actual ID of the security group
security_group_id = '<security-group-id>'

# Create an EC2 client
ec2 = boto3.client('ec2')

# Describe the security group to get its current rules
response = ec2.describe_security_groups(GroupIds=[security_group_id])
security_group = response['SecurityGroups'][0]

# Remove all rules allowing public access to endpoints
for rule in security_group['IpPermissions']:
    if rule['IpRanges'][0]['CidrIp'] == '0.0.0.0/0':
        ec2.revoke_security_group_ingress(
            GroupId=security_group_id,
            IpPermissions=[rule]
        )

You can run this Python script as a Lambda function and schedule it to run periodically to ensure that any new endpoints that are publicly accessible are remediated automatically. You can also modify the script to remediate all security groups in your AWS account, not just a specific one.

Additional Reading:

https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Endpoints Should Not Be Publicly Accessible

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: