5.4.3 - Ensure clusters are created with Private Nodes (Automated)

Views:

Profile applicability: Level 1

Disable public IP addresses for cluster nodes, so that they only have private IP addresses. Private Nodes are nodes with no public IP addresses.

Disabling public IP addresses on cluster nodes restricts access to only internal networks, forcing attackers to obtain local network access before attempting to compromise the underlying Kubernetes hosts.

Impact

To enable Private Nodes, the cluster has to also be configured with a private master IP range and IP Aliasing enabled.

Private Nodes do not have outbound access to the public internet. If you want to provide outbound Internet access for your private nodes, you can use Cloud NAT or you can manage your own NAT gateway.

Audit

Check for the following are enabled: true:

export CLUSTER_NAME=<your cluster name>
aws eks describe-cluster --name ${CLUSTER_NAME} --query \
"cluster.resourcesVpcConfig.endpointPrivateAccess"
aws eks describe-cluster --name ${CLUSTER_NAME} --query \
"cluster.resourcesVpcConfig.endpointPublicAccess"

Check for the following is not null and set with appropriate IP and not 0.0.0.0/0:

export CLUSTER_NAME=<your cluster name>
aws eks describe-cluster --name ${CLUSTER_NAME} --query \
"cluster.resourcesVpcConfig.publicAccessCidrs"

Note

In addition include the check if the nodes are deployed in private subnets and no public IP is assigned. The private subnets should not be associated with a route table that has a route to an Internet Gateway (IGW).

Remediation

To disable public IP addresses for EKS nodegroup nodes using the AWS CLI, you must ensure the following when running create-nodegroup:

Use private subnets (that don't auto-assign public IPs).
Set associatePublicIpAddress to false:

"NetworkInterfaces": [{ "AssociatePublicIpAddress": false }]

You can restrict access to the control plane endpoint using:

aws eks update-cluster-config \
--name $CLUSTER_NAME \
--region $REGION_CODE \
--resources-vpc-config endpointPublicAccess=false,endpointPrivateAccess=true

This makes the API server private, but does not affect node IPs.

To ensure nodes use only private IPs:

Use aws eks create-nodegroup with only private subnets, or
Use a launch template with AssociatePublicIpAddress=false.