CIS Amazon Elastic Kubernetes Service (EKS) 1.1.0 Benchmark
Lacework provides compliance policies based on CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0 (or CIS Amazon EKS 1.1.0 Benchmark for short).
Once you have integrated your Amazon EKS environment with Lacework, you can check whether your resources are compliant with the benchmark recommendations.
Visibility and Usage in the Lacework Console
You can use the CIS Amazon EKS 1.1.0 Benchmark in the following ways:
- Enable or disable policies through the Policies page (see CIS Amazon EKS 1.1.0 Benchmark Policies).
- Create and manage Compliance Policy Exceptions as and when needed.
- Receive Compliance-related Alerts for enabled CIS Amazon EKS 1.1.0 Benchmark policies (when violations occur).
- The Kubernetes Compliance Dashboard provides assessment results for each Kubernetes framework, including the CIS Amazon EKS 1.1.0 Benchmark.
Prerequisites
Ensure you have integrated your Amazon EKS environment with the Lacework Compliance platform. Completing this will prepare your environment for the CIS Amazon 1.1.0 Benchmark:
CIS Amazon EKS 1.1.0 Benchmark Policies
All policies in the CIS Amazon EKS 1.1.0 Benchmark are enabled by default.
You can enable or disable them using one of the following methods outlined in this section.
Enable or Disable Policies through the Lacework Console
On the Policies page, use the framework:cis-eks-1-1-0 tag to filter for CIS Amazon EKS 1.1.0 policies only.
You can enable or disable each one using the status toggle.
Alternatively, see Batch Update Policies to enable or disable multiple policies at once.
Manual policies do not have a status toggle as there is no functional check to enable. For more information about manual policies, see Automated vs Manual Policies.
Bulk Enable or Disable CIS Amazon EKS 1.1.0 Policies through the Lacework CLI
If you have not set up the Lacework CLI before, see the Lacework CLI guide to get started.
Enable or disable all the CIS Amazon EKS 1.1.0 policies using the following commands in the Lacework CLI:
lacework policy enable --tag framework:cis-eks-1-1-0
lacework policy disable --tag framework:cis-eks-1-1-0
Enable or disable specific CIS Amazon EKS 1.1.0 policies using the following command examples in the Lacework CLI:
lacework policy enable lacework-global-320
lacework policy disable lacework-global-320
Policy Mapping for CIS Amazon EKS 1.1.0
The CIS Amazon EKS 1.1.0 controls are mapped to Lacework global policies, as listed in the following tables.
Table key:
- Control ID - The CIS Amazon EKS 1.1.0 Benchmark security control identifier.
- Title - The policy/recommendation title.
- Lacework Policy ID - The Lacework policy identifier.
- CIS Assessment - Whether CIS have determined that the security control can be assessed automatically or if it requires manual verification.
- Lacework Assessment - Whether Lacework have determined that the security control can be assessed automatically or if it requires manual verification.
- Severity - The severity of the policy (as determined by Lacework).
- 1. Control Plane Components
- 2. Control Plane Configuration
- 3. Worker Nodes
- 4. Policies
- 5. Managed Services
This section is not applicable for managed Kubernetes clusters, therefore, it contains no controls.
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 2.1.1 | Enable audit Logs | lacework-global-315 | Manual | Automated | Medium |
- 3.1 Worker Node Configuration Files
- 3.2 Kubelet
- 3.3 Container Optimized OS
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 3.1.1 | Set the kubeconfig file permissions to 644 or more restrictive | lacework-global-316 | Manual | Automated | High |
| 3.1.2 | Set the kubelet kubeconfig file ownership to root:root | lacework-global-317 | Manual | Automated | High |
| 3.1.3 | Ensure that the kubelet configuration file has permissions set to 644 or more restrictive | lacework-global-318 | Manual | Automated | High |
| 3.1.4 | Set the kubelet configuration file ownership to root:root | lacework-global-319 | Manual | Automated | High |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 3.2.1 | Set the --anonymous-auth argument to false | lacework-global-320 | Automated | Automated | High |
| 3.2.2 | Ensure that the --authorization-mode argument is not set to AlwaysAllow | lacework-global-321 | Automated | Automated | High |
| 3.2.3 | Set the --client-ca-file argument as appropriate | lacework-global-322 | Manual | Automated | Medium |
| 3.2.4 | Secure the --read-only-port | lacework-global-323 | Manual | Automated | High |
| 3.2.5 | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | lacework-global-324 | Manual | Automated | Medium |
| 3.2.6 | Set the --protect-kernel-defaults argument to true | lacework-global-325 | Automated | Automated | Medium |
| 3.2.7 | Set the --make-iptables-util-chains argument to true | lacework-global-326 | Automated | Automated | Medium |
| 3.2.8 | Ensure that the --hostname-override argument is not set | lacework-global-327 | Manual | Automated | Medium |
| 3.2.9 | Set the --eventRecordQPS argument to 0 or a level which ensures appropriate event capture | lacework-global-328 | Automated | Manual | Low |
| 3.2.10 | Ensure that the --rotate-certificates argument is not set to false | lacework-global-329 | Manual | Automated | Medium |
| 3.2.11 | Set the RotateKubeletServerCertificate argument to true | lacework-global-330 | Manual | Automated | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 3.3.1 | Prefer using Container-Optimized OS when possible | lacework-global-366 | Manual | Manual | Low |
- 4.1 RBAC and Service Accounts
- 4.2 Pod Security Policies
- 4.3 CNI Plugin
- 4.4 Secrets Management
- 4.5 Extensible Admission Control
- 4.6 General Policies
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 4.1.1 | Ensure that the cluster-admin role is only used where required | lacework-global-331 | Manual | Automated | High |
| 4.1.2 | Minimize access to secrets in ClusterRoleBindings | lacework-global-332 (ClusterRoleBindings) lacework-global-662 (RoleBindings) | Manual | Automated | Medium |
| 4.1.3 | Minimize wildcard use in ClusterRoles | lacework-global-333 (ClusterRoles) lacework-global-663 (Roles) | Manual | Automated | High |
| 4.1.4 | Minimize access to create pods in ClusterRoles | lacework-global-334 (ClusterRoles) lacework-global-664 (Roles) | Manual | Automated | High |
| 4.1.5 | Ensure that default service accounts are not actively used in ClusterRoles | lacework-global-335 (ClusterRoles) lacework-global-665 (Roles) lacework-global-666 (Kubernetes API access tokens) | Manual | Automated | Medium |
| 4.1.6 | Ensure that Service Account Tokens are only mounted where necessary | lacework-global-336 | Manual | Automated | Medium |
See Adjusted Controls for details on changes to these policies.
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 4.2.1 | Minimize the execution of privileged container workloads | lacework-global-648 | Automated | Automated | Medium |
| 4.2.2 | Minimize the execution of container workloads sharing the host process ID namespace | lacework-global-649 | Automated | Automated | Medium |
| 4.2.3 | Minimize the execution of container workloads sharing the host Inter-Process Communication (IPC) namespace | lacework-global-650 | Automated | Automated | Medium |
| 4.2.4 | Minimize the execution of container workloads sharing the host network namespace | lacework-global-651 | Automated | Automated | Medium |
| 4.2.5 | Minimize the execution of container workloads that can escalate their privileges beyond those of their parent process | lacework-global-652 | Automated | Automated | Medium |
| 4.2.6 | Minimize the execution of container workloads running as the root user | lacework-global-653 | Automated | Automated | Medium |
| 4.2.7 | Minimize the execution of container workloads with the NET_RAW capability | lacework-global-654 | Automated | Automated | Low |
| 4.2.8 | Minimize the execution of container workloads with added capabilities | lacework-global-655 | Manual | Automated | Medium |
| 4.2.9 | Minimize the admission of containers with capabilities assigned | lacework-global-345 | Manual | Manual | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 4.3.1 | Use latest Container Network Interface (CNI) version | lacework-global-346 | Manual | Manual | Medium |
| 4.3.2 | Ensure that all Namespaces have Network Policies defined | lacework-global-347 | Manual | Manual | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 4.4.1 | Prefer using secrets as files over secrets as environment variables | lacework-global-348 | Manual | Manual | Medium |
| 4.4.2 | Consider external secret storage | lacework-global-349 | Manual | Manual | Medium |
N/A
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 4.6.1 | Create administrative boundaries between resources using namespaces | lacework-global-350 | Manual | Manual | Medium |
| 4.6.2 | Apply Security Context to Your Pods and Containers | lacework-global-351 | Manual | Manual | Medium |
| 4.6.3 | Do not use default namespace | lacework-global-352 | Manual | Automated | Low |
- 5.1 Image Registry and Image Scanning
- 5.2 Identity and Access Management (IAM)
- 5.3 AWS EKS Key Management Service
- 5.4 Cluster Networking
- 5.5 Authentication and Authorization
- 5.6 Other Cluster Configurations
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 5.1.1 | Ensure Image Vulnerability Scanning using Amazon Elastic Container Registry (ECR) image scanning or a third party provider | lacework-global-353 | Manual | Manual | Medium |
| 5.1.2 | Minimize user access to Amazon Elastic Container Registry (ECR) | lacework-global-354 | Manual | Manual | Medium |
| 5.1.3 | Minimize cluster access to read-only for Amazon Elastic Container Registry (ECR) | lacework-global-355 | Manual | Manual | Medium |
| 5.1.4 | Minimize Container Registries to only those approved | lacework-global-356 | Manual | Automated | High |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 5.2.1 | Prefer using managed identities for workloads | lacework-global-357 | Manual | Manual | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 5.3.1 | Encrypt Kubernetes Secrets using Customer Managed Keys (CMKs) managed in AWS Key Management Service (KMS) | lacework-global-358 | Manual | Automated | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 5.4.1 | Restrict Access to the Control Plane Endpoint | lacework-global-359 | Manual | Automated | High |
| 5.4.2 | Create clusters with Private Endpoint Enabled and Public Access Disabled | lacework-global-360 | Manual | Automated | Medium |
| 5.4.3 | Create clusters with Private Nodes | lacework-global-361 | Manual | Manual | Medium |
| 5.4.4 | Enable Network Policy and set as appropriate | lacework-global-362 | Manual | Manual | Medium |
| 5.4.5 | Encrypt traffic to HTTPS load balancers with Transport Layer Security (TLS) certificates | lacework-global-363 | Manual | Manual | High |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 5.5.1 | Manage Kubernetes Role-Based Access Control (RBAC) users with AWS Identity and Access Management (IAM) Authenticator for Kubernetes | lacework-global-364 | Manual | Manual | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 5.6.1 | Consider Fargate for running untrusted workloads | lacework-global-365 | Manual | Manual | Medium |
Automated vs Manual Policies
Lacework automates compliance policies where possible. This allows the Lacework platform to monitor your environment resources to check whether they are compliant with the benchmark recommendations.
For some benchmark recommendations, it is not possible to automate the policy checks in an AWS environment. These policies are manual, and you must verify such policies manually. Lacework provides the manual remediation steps for these policies (when available).
Automated Policies (that were deemed manual)
In some cases, Lacework is able to automate certain CIS benchmark controls that were deemed as manual by CIS.
The following table outlines the CIS Amazon EKS 1.1.0 Benchmark policies that fall within this category:
Click to expand
| Control ID | Lacework Policy ID(s) | Title |
|---|---|---|
| 2.1.1 | lacework-global-315 | Enable audit Logs |
| 3.1.1 | lacework-global-316 | Set the kubeconfig file permissions to 644 or more restrictive |
| 3.1.2 | lacework-global-317 | Set the kubelet kubeconfig file ownership to root:root |
| 3.1.3 | lacework-global-318 | Ensure that the kubelet configuration file has permissions set to 644 or more restrictive |
| 3.1.4 | lacework-global-319 | Set the kubelet configuration file ownership to root:root |
| 3.2.3 | lacework-global-322 | Set the --client-ca-file argument as appropriate |
| 3.2.4 | lacework-global-323 | Secure the --read-only-port |
| 3.2.5 | lacework-global-324 | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 |
| 3.2.8 | lacework-global-327 | Ensure that the --hostname-override argument is not set |
| 3.2.10 | lacework-global-329 | Ensure that the --rotate-certificates argument is not set to false |
| 3.2.11 | lacework-global-330 | Set the RotateKubeletServerCertificate argument to true |
| 4.1.1 | lacework-global-331 | Ensure that the cluster-admin role is only used where required |
| 4.1.2 | lacework-global-332 lacework-global-662 | Minimize access to secrets in ClusterRoleBindings |
| 4.1.3 | lacework-global-333 lacework-global-663 | Minimize wildcard use in ClusterRoles |
| 4.1.4 | lacework-global-334 lacework-global-664 | Minimize access to create pods in ClusterRoles |
| 4.1.5 | lacework-global-335 lacework-global-665 lacework-global-666 | Ensure that default service accounts are not actively used in ClusterRoles |
| 4.1.6 | lacework-global-336 | Ensure that Service Account Tokens are only mounted where necessary |
| 4.2.8 | lacework-global-655 | Minimize the execution of container workloads with added capabilities |
| 4.6.3 | lacework-global-352 | Do not use default namespace |
| 5.1.4 | lacework-global-356 | Minimize Container Registries to only those approved |
| 5.3.1 | lacework-global-358 | Encrypt Kubernetes Secrets using Customer Managed Keys (CMKs) managed in AWS Key Management Service (KMS) |
| 5.4.1 | lacework-global-359 | Restrict Access to the Control Plane Endpoint |
| 5.4.2 | lacework-global-360 | Create clusters with Private Endpoint Enabled and Public Access Disabled |
Manual Policies (that were deemed automated)
In some cases, Lacework cannot automate certain CIS benchmark controls that were deemed as automated by CIS.
This is often due to one of the following reasons:
- Scope is defined by the user.
- It requires configuring other products or API permissions that are out of scope.
- Known issues for audit procedure described by the CIS control.
The following table outlines the CIS Amazon EKS 1.1.0 Benchmark policies that fall within this category:
Click to expand
| Control ID | Lacework Policy ID | Title |
|---|---|---|
| 3.2.9 | lacework-global-328 | Set the --eventRecordQPS argument to 0 or a level which ensures appropriate event capture |
Adjusted Controls
4.1.2 Minimize access to secrets
This control has been split into two different policies to monitor ClusterRoleBindings and RoleBindings separately.
The table below outlines each control and their new title:
Click to expand
| Control ID | Lacework Policy ID | Title |
|---|---|---|
| 4.1.2 | lacework-global-332 | Minimize access to secrets in ClusterRoleBindings |
| 4.1.2 | lacework-global-662 | Minimize access to secrets in RoleBindings. |
The policy catalog only retains one entry for this control, which is lacework-global-332.
4.1.3 Minimize wildcard use in Roles and ClusterRoles
This control has been split into two different policies to monitor ClusterRoles and Roles separately.
The table below outlines each control and their new title:
Click to expand
| Control ID | Lacework Policy ID | Title |
|---|---|---|
| 4.1.3 | lacework-global-333 | Minimize wildcard use in ClusterRoles |
| 4.1.3 | lacework-global-663 | Minimize wildcard use in Roles |
The policy catalog only retains one entry for this control, which is lacework-global-333.
4.1.4 Minimize access to create pods
This control has been split into two different policies to monitor ClusterRoles and Roles separately.
The table below outlines each control and their new title:
Click to expand
| Control ID | Lacework Policy ID | Title |
|---|---|---|
| 4.1.4 | lacework-global-334 | Minimize access to create pods in ClusterRoles |
| 4.1.4 | lacework-global-664 | Minimize access to create pods in Roles |
The policy catalog only retains one entry for this control, which is lacework-global-334.
4.1.5 Ensure that default service accounts are not actively used
This control has been split into three different policies to monitor the following separately:
- Default service accounts in ClusterRoles.
- Default service accounts in Roles.
- Kubernetes API access tokens mounted on default service accounts.
The table below outlines each control and their new title:
Click to expand
| Control ID | Lacework Policy ID | Title |
|---|---|---|
| 4.1.5 | lacework-global-335 | Ensure that default service accounts are not actively used in ClusterRoles |
| 4.1.5 | lacework-global-665 | Ensure that default service accounts are not actively used in Roles |
| 4.1.5 | lacework-global-666 | Ensure that default service accounts are not automatically mounting their Kubernetes API access token |
The policy catalog only retains one entry for this control, which is lacework-global-335.
4.2.1 - 4.2.8 Pod Security Policies
The original CIS Amazon EKS 1.1.0 policies for Pod Security are now deprecated. To help provide effective coverage, Lacework has designed supplementary policies for the detection and remediation of pods that have been configured insecurely.
The following table lists the CIS policies (that are disabled by default) and the corresponding Lacework supplementary policies for Pod Security:
Click to expand
| Control ID | Disabled CIS Policy | Supplementary Lacework Policy |
|---|---|---|
| 4.2.1 | lacework-global-337 | lacework-global-648 |
| 4.2.2 | lacework-global-338 | lacework-global-649 |
| 4.2.3 | lacework-global-339 | lacework-global-650 |
| 4.2.4 | lacework-global-340 | lacework-global-651 |
| 4.2.5 | lacework-global-341 | lacework-global-652 |
| 4.2.6 | lacework-global-342 | lacework-global-653 |
| 4.2.7 | lacework-global-343 | lacework-global-654 |
| 4.2.8 | lacework-global-344 | lacework-global-655 |
There is no supplementary policy for 4.2.9 as it is a manual control.
Excluded Resources during 4.2.1 - 4.2.8 Policy Assessments
The Lacework Agent and workloads in the kube-system namespace are excluded during these policy assessments.
The Lacework Agent requires privileged access in order to enable monitoring for workload security. The kube-system namespace is used by the Kubernetes system and requires significant permissions to function effectively.