EKS Cluster Should Allow Inbound Traffic only from Port 443(HTTPS)
More Info:
Security groups associated with EKS clusters should allow inbound traffic only on TCP port 443 (HTTPS). This prevents any malicious activities such as brute-force attacks and also meets compliance requirements.Risk Level
MediumAddress
SecurityCompliance Standards
SOC2, GDPR, PCIDSS, NIST, HITRUST, NISTCSFTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration in AWS, follow the steps below:
- Login to the AWS console and navigate to the Amazon EKS service.
- Select the EKS cluster that needs to be remediated.
- Click on the “Configuration” tab in the left-hand menu.
- Scroll down to the “Networking” section and click on the “Edit” button.
- In the “Security group rules” section, locate the security group that is associated with your EKS cluster.
- Click on the “Edit” button next to the security group.
- In the “Inbound rules” section, locate the rule that allows inbound traffic on port 443.
- If the rule is missing, click on the “Add rule” button and select “HTTPS” from the dropdown menu.
- If the rule is present but allows traffic from other ports as well, click on the “Edit” button next to the rule and change the port range to only allow traffic on port 443.
- Once the rule has been updated, click on the “Save rules” button to apply the changes.
- Verify that the inbound traffic is now restricted to port 443 by checking the security group rules.
Using CLI
Using CLI
To remediate this misconfiguration for an EKS cluster in AWS using AWS CLI, follow these steps:Replace the Replace the This should return a JSON object containing the details of the security group associated with your EKS cluster, including the new inbound rule for port 443.Your EKS cluster is now configured to allow inbound traffic only from port 443.
- Open the AWS CLI on your local machine.
- Run the following command to list all the EKS clusters in your AWS account:
- Choose the EKS cluster that you want to remediate and run the following command to update the cluster’s security group:
<cluster_name> with the name of your EKS cluster, <region_name> with the AWS region where your cluster is located and <security_group_id> with the ID of the security group associated with your EKS cluster.- Run the following command to create a new security group rule that allows inbound traffic only from port 443:
<security_group_id> with the ID of the security group associated with your EKS cluster.- Verify that the new security group rule has been added successfully by running the following command:
Using Python
Using Python
To remediate the misconfiguration of allowing inbound traffic only from port 443 for an EKS Cluster in AWS, you can follow the below steps using Python:This code will remove all the existing inbound rules that allow traffic from ports other than 443 and add a new inbound rule that allows traffic only from port 443.Note: Replace ‘your_cluster_name’ with the actual name of your EKS cluster. Also, make sure you have the necessary permissions to modify the security group.
- Install the AWS SDK for Python (Boto3) using the following command:
- Create a Boto3 client for Amazon EKS using the following code:
- Get the details of the EKS cluster using the following code:
- Get the security group ID of the worker nodes using the following code:
- Get the details of the security group using the following code:
- Update the inbound rules of the security group to allow traffic only from port 443 using the following code: