Skip to main content

CIS Amazon Elastic Kubernetes Service (EKS) 1.1.0 Benchmark Report

BETA FEATURE

This topic describes functionality that is currently in beta.

Visibility and Usage in the Lacework Console

You can use the CIS Amazon EKS 1.1.0 benchmark in the following ways:

Prerequisites

This topic describes how to integrate your Amazon Elastic Kubernetes Service (EKS) with the Lacework Compliance platform. Completing this will prepare your environment for the CIS Amazon EKS 1.1.0 benchmark:

CIS Amazon EKS 1.1.0 Benchmark Policies

All policies in the CIS Amazon EKS 1.1.0 benchmark are enabled by default.

You can enable or disable them using one of the following methods outlined in this section.

Enable or Disable Policies through the Lacework Console

On the Policies page, use the framework:cis-eks-1-1-0 tag to filter for CIS Amazon EKS 1.1.0 policies only. You can enable or disable each one using the status policy-status-toggle.png toggle.

note

Manual policies do not have a status toggle as there is no functional check to enable.

Bulk Enable or Disable CIS Amazon EKS 1.1.0 Policies through the Lacework CLI

Enable or Disable all the CIS Amazon EKS 1.1.0 policies using the following commands in the Lacework CLI:

Enable all policies
lacework policy enable --tag framework:cis-eks-1-1-0
Disable all policies
lacework policy disable --tag framework:cis-eks-1-1-0
tip

If you have not set up the Lacework CLI before, see the Lacework CLI guide to get started.

Automated vs Manual Rules

Lacework automates compliance rules where possible. For some benchmark rules, it is not possible to automate the rule checks in an AWS environment. These rules are called manual rules. You must verify such rules manually.

Adjusted Rules

4.2.1 - 4.2.8 Pod Security Policies

The original CIS Amazon EKS 1.1.0 policies for Pod Security are now deprecated. To help provide effective coverage, Lacework has designed supplementary policies for the detection and remediation of pods that have been configured insecurely.

The following table lists the CIS policies (that are disabled by default) and the corresponding Lacework supplementary policies for Pod Security:

CIS Amazon EKS 1.1.0 Rule IDDisabled CIS PolicySupplementary Lacework Policy
4.2.1lacework-global-337lacework-global-648
4.2.2lacework-global-338lacework-global-649
4.2.3lacework-global-339lacework-global-650
4.2.4lacework-global-340lacework-global-651
4.2.5lacework-global-341lacework-global-652
4.2.6lacework-global-342lacework-global-653
4.2.7lacework-global-343lacework-global-654
4.2.8lacework-global-344lacework-global-655
note

There is no supplementary policy for 4.2.9 as it is a manual rule.

Excluded Resources during 4.2.1 - 4.2.8 Policy Assessments

The Lacework Agent and workloads in the kube-system namespace are excluded during these policy assessments.

The Lacework Agent requires privileged access in order to enable monitoring for workload security. The kube-system namespace is used by the Kubernetes system and requires significant permissions to function effectively.

Policy Mapping for CIS Amazon EKS 1.1.0

The CIS Amazon EKS 1.1.0 rules are mapped to Lacework global policies. See the following sections for the mappings used.

1. Control Plane Components

This section is not applicable for managed Kubernetes clusters, therefore, it contains no rules.

2. Control Plane Configuration

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
2.1.1lacework-global-315

3. Worker Nodes

3.1 Worker Node Configuration Files

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
3.1.1lacework-global-316
3.1.2lacework-global-317
3.1.3lacework-global-318
3.1.4lacework-global-319

3.2 Kubelet

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
3.2.1lacework-global-320
3.2.2lacework-global-321
3.2.3lacework-global-322
3.2.4lacework-global-323
3.2.5lacework-global-324
3.2.6lacework-global-325
3.2.7lacework-global-326
3.2.8lacework-global-327
3.2.9lacework-global-328
3.2.10lacework-global-329
3.2.11lacework-global-330

3.3 Container Optimized OS

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
3.3.1lacework-global-366

4. Policies

4.1 RBAC and Service Accounts

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
4.1.1lacework-global-331
4.1.2lacework-global-332
4.1.3lacework-global-333
4.1.4lacework-global-334
4.1.5lacework-global-335
4.1.6lacework-global-336

4.2 Pod Security Policies

note

See Adjusted Rules for details on changes to these policies.

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
4.2.1lacework-global-648
4.2.2lacework-global-649
4.2.3lacework-global-650
4.2.4lacework-global-651
4.2.5lacework-global-652
4.2.6lacework-global-653
4.2.7lacework-global-654
4.2.8lacework-global-655
4.2.9lacework-global-345

4.3 CNI Plugin

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
4.3.1lacework-global-346
4.3.2lacework-global-347

4.4 Secrets Management

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
4.4.1lacework-global-348
4.4.2lacework-global-349

4.5 Extensible Admission Control

N/A

4.6 General Policies

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
4.6.1lacework-global-350
4.6.2lacework-global-351
4.6.3lacework-global-352

5. Managed Services

5.1 Image Registry and Image Scanning

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
5.1.1lacework-global-353
5.1.2lacework-global-354
5.1.3lacework-global-355
5.1.4lacework-global-356

5.2 Identity and Access Management (IAM)

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
5.2.1lacework-global-357

5.3 AWS EKS Key Management Service

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
5.3.1lacework-global-358

5.4 Cluster Networking

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
5.4.1lacework-global-359
5.4.2lacework-global-360
5.4.3lacework-global-361
5.4.4lacework-global-362
5.4.5lacework-global-363

5.5 Authentication and Authorization

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
5.5.1lacework-global-364

5.6 Other Cluster Configurations

CIS Amazon EKS 1.1.0 Rule IDLacework Policy ID
5.6.1lacework-global-365