github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/eks-1.2.0/managedservices.yaml (about) 1 --- 2 controls: 3 version: "eks-1.2.0" 4 id: 5 5 text: "Managed Services" 6 type: "managedservices" 7 groups: 8 - id: 5.1 9 text: "Image Registry and Image Scanning" 10 checks: 11 - id: 5.1.1 12 text: "Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third-party provider (Manual)" 13 type: "manual" 14 remediation: | 15 To utilize AWS ECR for Image scanning please follow the steps below: 16 17 To create a repository configured for scan on push (AWS CLI): 18 aws ecr create-repository --repository-name $REPO_NAME --image-scanning-configuration scanOnPush=true --region $REGION_CODE 19 20 To edit the settings of an existing repository (AWS CLI): 21 aws ecr put-image-scanning-configuration --repository-name $REPO_NAME --image-scanning-configuration scanOnPush=true --region $REGION_CODE 22 23 Use the following steps to start a manual image scan using the AWS Management Console. 24 Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories. 25 From the navigation bar, choose the Region to create your repository in. 26 In the navigation pane, choose Repositories. 27 On the Repositories page, choose the repository that contains the image to scan. 28 On the Images page, select the image to scan and then choose Scan. 29 scored: false 30 31 - id: 5.1.2 32 text: "Minimize user access to Amazon ECR (Manual)" 33 type: "manual" 34 remediation: | 35 Before you use IAM to manage access to Amazon ECR, you should understand what IAM features 36 are available to use with Amazon ECR. To get a high-level view of how Amazon ECR and other 37 AWS services work with IAM, see AWS Services That Work with IAM in the IAM User Guide. 38 scored: false 39 40 - id: 5.1.3 41 text: "Minimize cluster access to read-only for Amazon ECR (Manual)" 42 type: "manual" 43 remediation: | 44 You can use your Amazon ECR images with Amazon EKS, but you need to satisfy the following prerequisites. 45 46 The Amazon EKS worker node IAM role (NodeInstanceRole) that you use with your worker nodes must possess 47 the following IAM policy permissions for Amazon ECR. 48 49 { 50 "Version": "2012-10-17", 51 "Statement": [ 52 { 53 "Effect": "Allow", 54 "Action": [ 55 "ecr:BatchCheckLayerAvailability", 56 "ecr:BatchGetImage", 57 "ecr:GetDownloadUrlForLayer", 58 "ecr:GetAuthorizationToken" 59 ], 60 "Resource": "*" 61 } 62 ] 63 } 64 scored: false 65 66 - id: 5.1.4 67 text: "Minimize Container Registries to only those approved (Manual)" 68 type: "manual" 69 remediation: "No remediation" 70 scored: false 71 72 - id: 5.2 73 text: "Identity and Access Management (IAM)" 74 checks: 75 - id: 5.2.1 76 text: "Prefer using dedicated Amazon EKS Service Accounts (Manual)" 77 type: "manual" 78 remediation: "No remediation" 79 scored: false 80 81 - id: 5.3 82 text: "AWS Key Management Service (KMS)" 83 checks: 84 - id: 5.3.1 85 text: "Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS (Manual)" 86 type: "manual" 87 remediation: | 88 This process can only be performed during Cluster Creation. 89 90 Enable 'Secrets Encryption' during Amazon EKS cluster creation as described 91 in the links within the 'References' section. 92 scored: false 93 94 - id: 5.4 95 text: "Cluster Networking" 96 checks: 97 - id: 5.4.1 98 text: "Restrict Access to the Control Plane Endpoint (Manual)" 99 type: "manual" 100 remediation: "No remediation" 101 scored: false 102 103 - id: 5.4.2 104 text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)" 105 type: "manual" 106 remediation: "No remediation" 107 scored: false 108 109 - id: 5.4.3 110 text: "Ensure clusters are created with Private Nodes (Manual)" 111 type: "manual" 112 remediation: "No remediation" 113 scored: false 114 115 - id: 5.4.4 116 text: "Ensure Network Policy is Enabled and set as appropriate (Manual)" 117 type: "manual" 118 remediation: "No remediation" 119 scored: false 120 121 - id: 5.4.5 122 text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Manual)" 123 type: "manual" 124 remediation: "No remediation" 125 scored: false 126 127 128 - id: 5.5 129 text: "Authentication and Authorization" 130 checks: 131 - id: 5.5.1 132 text: "Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes (Manual)" 133 type: "manual" 134 remediation: | 135 Refer to the 'Managing users or IAM roles for your cluster' in Amazon EKS documentation. 136 scored: false 137 138 139 - id: 5.6 140 text: "Other Cluster Configurations" 141 checks: 142 - id: 5.6.1 143 text: "Consider Fargate for running untrusted workloads (Manual)" 144 type: "manual" 145 remediation: | 146 Create a Fargate profile for your cluster Before you can schedule pods running on Fargate 147 in your cluster, you must define a Fargate profile that specifies which pods should use 148 Fargate when they are launched. For more information, see AWS Fargate profile. 149 150 Note: If you created your cluster with eksctl using the --fargate option, then a Fargate profile has 151 already been created for your cluster with selectors for all pods in the kube-system 152 and default namespaces. Use the following procedure to create Fargate profiles for 153 any other namespaces you would like to use with Fargate. 154 scored: false