AWS Kubernetes (EKS) Audit

Audit your EKS to safe gaurd your data

What we do?

EKS Security Groups

Security groups associated with EKS clusters should allow inbound traffic only on TCP port 443 (HTTPS). This prevents any malicious activities such as brute-force attacks and also meets compliance requirements.

Addresses: Security

Logging Enabled

EKS clusters should have their control plane logs enabled and publish their API, audit, controller manager, scheduler or authenticator logs to AWS CloudWatch.

Addresses: Security, Reliability

Running Recent Version

Ensure that your Amazon Elastic Kubernetes Service (EKS) clusters are using the latest stable version of Kubernetes container-orchestration system, in order to follow AWS best practices, receive the latest Kubernetes features, design updates and bug fixes, and benefit from better security and performance.

Addresses: Security, Reliability

Non-public Endpoints

Your Amazon EKS cluster API server endpoints should not be publicly accessible from the Internet in order to avoid exposing private data and minimizing security risks. The level of access to your Kubernetes API server endpoints depends on your EKS application use cases. It is recommended that the API server endpoints should be accessible only from within your AWS VPC.

Addresses: Security

HA Enabled

Ensure that your EKS has minimum of 3 nodes spread across 3 AZs.

Addresses: Reliability

ECR Private Repo

Ensures ECR repository policies do not enable global or public access to images. ECR repository policies should limit access to images to known IAM entities and AWS accounts and avoid the use of account-level wildcards.

Addresses: Security

Additional Reading:

ECR Repository Tag Immutability

Ensures ECR repository image tags cannot be overwritten. ECR repositories should be configured to prevent overwriting of image tags to avoid potentially-malicious images from being deployed to live environments.

Addresses: Security, Operational Maturity

Additional Reading:

ECR Lifecycle Policy Attached

Ensure that ECR have lifecycle policy attached.

Addresses: Operational Maturity

Vulnerability Scanning Enabled

Addresses: Security, Operational Maturity


Not ready for a free signup yet? No worries!

We suggest you use the checklist!

If you are not yet convinced to sign up with Cloudanix, that's not a problem. We recommend you use a comprehensive checklist which your team can use to perform a manual assessment of your workload.