Security Best Practices for Amazon EKS¤
Objective¤
The objective of this pattern is to demonstrate how to enable AWS Config configuration recorder and AWS Config managed rules for EKS security best practices in your AWS account CDK_DEFAULT_ACCOUNT and region CDK_DEFAULT_REGION and verify the status of the rules.
Prerequisites¤
- Follow the usage instructions to install the dependencies and perform the repository setup.
argo-admin-passwordsecret must be defined in Secrets Manager in the same region as the EKS cluster.
Deploy¤
To bootstrap the CDK toolkit and list all stacks in the app, run the following commands:
cdk bootstrap
make list
Deploy AWS Config Configuration Recorder¤
Use the AWS Config setup blueprints pattern to enable AWS Config in your account and region by running the following command:
make pattern eks-config-rules deploy eks-config-setup
Deploy Config Rules for EKS Security Best Practices¤
Now enable the AWS Config managed rules for EKS security best practices by running the following command:
make pattern eks-config-rules deploy eks-config-rules-setup
Verify¤
Verify the status of the AWS Config managed rules for EKS security best practices¤
Using the following AWS CLI command, get a list of the AWS Config rules with their evaluation status.
aws configservice describe-config-rule-evaluation-status
The output will look something like the following.
{
"ConfigRulesEvaluationStatus": [
...
{
"ConfigRuleName": "eks-config-rules-setup-EksEndpointNoPublicAccess49-37QJEXYZALLB",
"ConfigRuleArn": "arn:aws:config:us-east-1:XXXXXXXXXXX:config-rule/config-rule-luqz0p",
"ConfigRuleId": "config-rule-luqz0p",
"LastSuccessfulInvocationTime": "2023-05-30T00:33:26.878000+00:00",
"LastSuccessfulEvaluationTime": "2023-05-30T00:33:27.539000+00:00",
"FirstActivatedTime": "2023-05-27T00:32:41.020000+00:00",
"FirstEvaluationStarted": true
},
{
"ConfigRuleName": "eks-config-rules-setup-EksOldestSupportedVersionAD-Z65N0TEQSF96",
"ConfigRuleArn": "arn:aws:config:us-east-1:XXXXXXXXXXX:config-rule/config-rule-psbc54",
"ConfigRuleId": "config-rule-psbc54",
"LastSuccessfulInvocationTime": "2023-05-27T07:56:05.182000+00:00",
"LastSuccessfulEvaluationTime": "2023-05-27T07:56:07.542000+00:00",
"FirstActivatedTime": "2023-05-25T22:44:21.666000+00:00",
"FirstEvaluationStarted": true
},
{
"ConfigRuleName": "eks-config-rules-setup-EksSecretsEncrypted7566BFCD-HUQX4WXUDEFA",
"ConfigRuleArn": "arn:aws:config:us-east-1:XXXXXXXXXXX:config-rule/config-rule-kzohng",
"ConfigRuleId": "config-rule-kzohng",
"LastSuccessfulInvocationTime": "2023-05-30T00:33:26.902000+00:00",
"LastSuccessfulEvaluationTime": "2023-05-30T00:33:27.616000+00:00",
"FirstActivatedTime": "2023-05-27T00:32:41.006000+00:00",
"FirstEvaluationStarted": true
},
{
"ConfigRuleName": "eks-config-rules-setup-EksSupportedVersionCDB3159A-1VNH10LGMMJX",
"ConfigRuleArn": "arn:aws:config:us-east-1:XXXXXXXXXXX:config-rule/config-rule-oaio54",
"ConfigRuleId": "config-rule-oaio54",
"LastSuccessfulInvocationTime": "2023-05-27T07:56:05.223000+00:00",
"LastSuccessfulEvaluationTime": "2023-05-27T07:56:05.420000+00:00",
"FirstActivatedTime": "2023-05-25T22:51:26.563000+00:00",
"FirstEvaluationStarted": true
}
...
]
}
You can search for the EKS specific rules. Make a note of the unique ConfigRuleName of each of the AWS Config rules for EKS security best practices.
Using the unique names of the EKS Config rules from your account and region shown after running the previous AWS CLI command, you can verify each EKS Config rule configuration and state using the following AWS CLI command (remember to replace the rule names below with your rule names).
aws configservice describe-config-rules --config-rule-names "eks-config-rules-setup-EksEndpointNoPublicAccess<your rule id>" "eks-config-rules-setup-EksOldestSupportedVersion<your rule id>" "eks-config-rules-setup-EksSecretsEncrypted<your rule id>" "eks-config-rules-set
up-EksSupportedVersion<your rule id>"
{
"ConfigRules": [
{
"ConfigRuleName": "eks-config-rules-setup-EksEndpointNoPublicAccess49-37QJEXYZALLB",
"ConfigRuleArn": "arn:aws:config:us-east-1:XXXXXXXXXXX:config-rule/config-rule-luqz0p",
"ConfigRuleId": "config-rule-luqz0p",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "EKS_ENDPOINT_NO_PUBLIC_ACCESS"
},
"ConfigRuleState": "ACTIVE",
"EvaluationModes": [
{
"Mode": "DETECTIVE"
}
]
},
{
"ConfigRuleName": "eks-config-rules-setup-EksOldestSupportedVersionAD-Z65N0TEQSF96",
"ConfigRuleArn": "arn:aws:config:us-east-1:XXXXXXXXXXX:config-rule/config-rule-psbc54",
"ConfigRuleId": "config-rule-psbc54",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "EKS_CLUSTER_OLDEST_SUPPORTED_VERSION"
},
"InputParameters": "{\"oldestVersionSupported\":\"1.25\"}",
"ConfigRuleState": "ACTIVE",
"EvaluationModes": [
{
"Mode": "DETECTIVE"
}
]
},
{
"ConfigRuleName": "eks-config-rules-setup-EksSecretsEncrypted7566BFCD-HUQX4WXUDEFA",
"ConfigRuleArn": "arn:aws:config:us-east-1:XXXXXXXXXXX:config-rule/config-rule-kzohng",
"ConfigRuleId": "config-rule-kzohng",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "EKS_SECRETS_ENCRYPTED"
},
"ConfigRuleState": "ACTIVE",
"EvaluationModes": [
{
"Mode": "DETECTIVE"
}
]
},
{
"ConfigRuleName": "eks-config-rules-setup-EksSupportedVersionCDB3159A-1VNH10LGMMJX",
"ConfigRuleArn": "arn:aws:config:us-east-1:XXXXXXXXXXX:config-rule/config-rule-oaio54",
"ConfigRuleId": "config-rule-oaio54",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "EKS_CLUSTER_SUPPORTED_VERSION"
},
"InputParameters": "{\"oldestVersionSupported\":\"1.25\"}",
"ConfigRuleState": "ACTIVE",
"EvaluationModes": [
{
"Mode": "DETECTIVE"
}
]
}
]
}
Note that you can see the parameter value of the rules with required InputParameters (EKS_CLUSTER_OLDEST_SUPPORTED_VERSION and EKS_CLUSTER_OLDEST_SUPPORTED_VERSION), and the ConfigRuleState for each of the rules which is ACTIVE.