Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance > Kubernetes > CIS - EKS 1.5.0 > Managed Services >

Cluster Networking

N/A
Source
Kube Bench
ID
5.4
Version
eks-1.5.0

5.4 Cluster Networking

5.4.1 Restrict Access to the Control Plane Endpoint (Automated)

By enabling private endpoint access to the Kubernetes API server, all communication between your nodes and the API server stays within your VPC. You can also limit the IP addresses that can access your API server from the internet, or completely disable internet access to the API server. With this in mind, you can update your cluster accordingly using the AWS CLI to ensure that Private Endpoint Access is enabled. If you choose to also enable Public Endpoint Access then you should also configure a list of allowable CIDR blocks, resulting in restricted access from the internet. If you specify no CIDR blocks, then the public API server endpoint is able to receive and process requests from all IP addresses by defaulting to [‘0.0.0.0/0’]. For example, the following command would enable private access to the Kubernetes API as well as limited public access over the internet from a single IP address (noting the /32 CIDR suffix): aws eks update-cluster-config –region $AWS_REGION –name $CLUSTER_NAME –resources-vpc-config endpointPrivateAccess=true,endpointPrivateAccess=true,publicAccessCidrs=“203.0.113.5/32”

Note: The CIDR blocks specified cannot include reserved addresses. There is a maximum number of CIDR blocks that you can specify. For more information, see the EKS Service Quotas link in the references section. For more detailed information, see the EKS Cluster Endpoint documentation link in the references section.

5.4.2 Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Automated)

By enabling private endpoint access to the Kubernetes API server, all communication between your nodes and the API server stays within your VPC. With this in mind, you can update your cluster accordingly using the AWS CLI to ensure that Private Endpoint Access is enabled. For example, the following command would enable private access to the Kubernetes API and ensure that no public access is permitted: aws eks update-cluster-config –region $AWS_REGION –name $CLUSTER_NAME –resources-vpc-config endpointPrivateAccess=true,endpointPublicAccess=false

Note: For more detailed information, see the EKS Cluster Endpoint documentation link in the references section.

5.4.3 Ensure clusters are created with Private Nodes (Automated)

aws eks update-cluster-config
–region region-code
–name my-cluster
–resources-vpc-config endpointPublicAccess=true,publicAccessCidrs=“203.0.113.5/32”,endpointPrivateAccess=true

5.4.4 Ensure Network Policy is Enabled and set as appropriate (Automated)

Utilize Calico or other network policy engine to segment and isolate your traffic.

5.4.5 Encrypt traffic to HTTPS load balancers with TLS certificates (Manual)

Your load balancer vendor can provide details on configuring HTTPS with TLS.

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use