Skip to content

Latest commit

 

History

History
274 lines (259 loc) · 57.6 KB

RULES.md

File metadata and controls

274 lines (259 loc) · 57.6 KB
Raw

Rules Status

K8S CIS Benchmark

92/125 implemented rules (74%)

Automated rules: 73/74 (99%)

Manual rules: 19/51 (37%)

Rule Number Section Description Status Type
1.1.1 Control Plane Node Configuration Files Ensure that the API server pod specification file permissions are set to 644 or more restrictive Automated
1.1.10 Control Plane Node Configuration Files Ensure that the Container Network Interface file ownership is set to root:root Manual
1.1.11 Control Plane Node Configuration Files Ensure that the etcd data directory permissions are set to 700 or more restrictive Automated
1.1.12 Control Plane Node Configuration Files Ensure that the etcd data directory ownership is set to etcd:etcd Automated
1.1.13 Control Plane Node Configuration Files Ensure that the admin.conf file permissions are set to 600 Automated
1.1.14 Control Plane Node Configuration Files Ensure that the admin.conf file ownership is set to root:root Automated
1.1.15 Control Plane Node Configuration Files Ensure that the scheduler.conf file permissions are set to 644 or more restrictive Automated
1.1.16 Control Plane Node Configuration Files Ensure that the scheduler.conf file ownership is set to root:root Automated
1.1.17 Control Plane Node Configuration Files Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive Automated
1.1.18 Control Plane Node Configuration Files Ensure that the controller-manager.conf file ownership is set to root:root Automated
1.1.19 Control Plane Node Configuration Files Ensure that the Kubernetes PKI directory and file ownership is set to root:root Automated
1.1.2 Control Plane Node Configuration Files Ensure that the API server pod specification file ownership is set to root:root Automated
1.1.20 Control Plane Node Configuration Files Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive Manual
1.1.21 Control Plane Node Configuration Files Ensure that the Kubernetes PKI key file permissions are set to 600 Manual
1.1.3 Control Plane Node Configuration Files Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive Automated
1.1.4 Control Plane Node Configuration Files Ensure that the controller manager pod specification file ownership is set to root:root Automated
1.1.5 Control Plane Node Configuration Files Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive Automated
1.1.6 Control Plane Node Configuration Files Ensure that the scheduler pod specification file ownership is set to root:root Automated
1.1.7 Control Plane Node Configuration Files Ensure that the etcd pod specification file permissions are set to 644 or more restrictive Automated
1.1.8 Control Plane Node Configuration Files Ensure that the etcd pod specification file ownership is set to root:root Automated
1.1.9 Control Plane Node Configuration Files Ensure that the Container Network Interface file permissions are set to 644 or more restrictive Manual
1.2.1 API Server Ensure that the --anonymous-auth argument is set to false Manual
1.2.10 API Server Ensure that the admission control plugin EventRateLimit is set Manual
1.2.11 API Server Ensure that the admission control plugin AlwaysAdmit is not set Automated
1.2.12 API Server Ensure that the admission control plugin AlwaysPullImages is set Manual
1.2.13 API Server Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used Manual
1.2.14 API Server Ensure that the admission control plugin ServiceAccount is set Automated
1.2.15 API Server Ensure that the admission control plugin NamespaceLifecycle is set Automated
1.2.16 API Server Ensure that the admission control plugin NodeRestriction is set Automated
1.2.17 API Server Ensure that the --secure-port argument is not set to 0 Automated
1.2.18 API Server Ensure that the --profiling argument is set to false Automated
1.2.19 API Server Ensure that the --audit-log-path argument is set Automated
1.2.2 API Server Ensure that the --token-auth-file parameter is not set Automated
1.2.20 API Server Ensure that the --audit-log-maxage argument is set to 30 or as appropriate Automated
1.2.21 API Server Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate Automated
1.2.22 API Server Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate Automated
1.2.23 API Server Ensure that the --request-timeout argument is set as appropriate Manual
1.2.24 API Server Ensure that the --service-account-lookup argument is set to true Automated
1.2.25 API Server Ensure that the --service-account-key-file argument is set as appropriate Automated
1.2.26 API Server Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate Automated
1.2.27 API Server Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate Automated
1.2.28 API Server Ensure that the --client-ca-file argument is set as appropriate Automated
1.2.29 API Server Ensure that the --etcd-cafile argument is set as appropriate Automated
1.2.3 API Server Ensure that the --DenyServiceExternalIPs is not set Automated
1.2.30 API Server Ensure that the --encryption-provider-config argument is set as appropriate Manual
1.2.31 API Server Ensure that encryption providers are appropriately configured Manual
1.2.32 API Server Ensure that the API Server only makes use of Strong Cryptographic Ciphers Manual
1.2.4 API Server Ensure that the --kubelet-https argument is set to true Automated
1.2.5 API Server Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate Automated
1.2.6 API Server Ensure that the --kubelet-certificate-authority argument is set as appropriate Automated
1.2.7 API Server Ensure that the --authorization-mode argument is not set to AlwaysAllow Automated
1.2.8 API Server Ensure that the --authorization-mode argument includes Node Automated
1.2.9 API Server Ensure that the --authorization-mode argument includes RBAC Automated
1.3.1 Controller Manager Ensure that the --terminated-pod-gc-threshold argument is set as appropriate Manual
1.3.2 Controller Manager Ensure that the --profiling argument is set to false Automated
1.3.3 Controller Manager Ensure that the --use-service-account-credentials argument is set to true Automated
1.3.4 Controller Manager Ensure that the --service-account-private-key-file argument is set as appropriate Automated
1.3.5 Controller Manager Ensure that the --root-ca-file argument is set as appropriate Automated
1.3.6 Controller Manager Ensure that the RotateKubeletServerCertificate argument is set to true Automated
1.3.7 Controller Manager Ensure that the --bind-address argument is set to 127.0.0.1 Automated
1.4.1 Scheduler Ensure that the --profiling argument is set to false Automated
1.4.2 Scheduler Ensure that the --bind-address argument is set to 127.0.0.1 Automated
2.1 etcd Ensure that the --cert-file and --key-file arguments are set as appropriate Automated
2.2 etcd Ensure that the --client-cert-auth argument is set to true Automated
2.3 etcd Ensure that the --auto-tls argument is not set to true Automated
2.4 etcd Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate Automated
2.5 etcd Ensure that the --peer-client-cert-auth argument is set to true Automated
2.6 etcd Ensure that the --peer-auto-tls argument is not set to true Automated
2.7 etcd Ensure that a unique Certificate Authority is used for etcd Manual
3.1.1 Authentication and Authorization Client certificate authentication should not be used for users Manual
3.2.1 Logging Ensure that a minimal audit policy is created Manual
3.2.2 Logging Ensure that the audit policy covers key security concerns Manual
4.1.1 Worker Node Configuration Files Ensure that the kubelet service file permissions are set to 644 or more restrictive Automated
4.1.10 Worker Node Configuration Files Ensure that the kubelet --config configuration file ownership is set to root:root Automated
4.1.2 Worker Node Configuration Files Ensure that the kubelet service file ownership is set to root:root Automated
4.1.3 Worker Node Configuration Files If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive Manual
4.1.4 Worker Node Configuration Files If proxy kubeconfig file exists ensure ownership is set to root:root Manual
4.1.5 Worker Node Configuration Files Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive Automated
4.1.6 Worker Node Configuration Files Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root Automated
4.1.7 Worker Node Configuration Files Ensure that the certificate authorities file permissions are set to 644 or more restrictive Manual
4.1.8 Worker Node Configuration Files Ensure that the client certificate authorities file ownership is set to root:root Manual
4.1.9 Worker Node Configuration Files Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive Automated
4.2.1 Kubelet Ensure that the --anonymous-auth argument is set to false Automated
4.2.10 Kubelet Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate Manual
4.2.11 Kubelet Ensure that the --rotate-certificates argument is not set to false Automated
4.2.12 Kubelet Verify that the RotateKubeletServerCertificate argument is set to true Manual
4.2.13 Kubelet Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers Manual
4.2.2 Kubelet Ensure that the --authorization-mode argument is not set to AlwaysAllow Automated
4.2.3 Kubelet Ensure that the --client-ca-file argument is set as appropriate Automated
4.2.4 Kubelet Verify that the --read-only-port argument is set to 0 Manual
4.2.5 Kubelet Ensure that the --streaming-connection-idle-timeout argument is not set to 0 Manual
4.2.6 Kubelet Ensure that the --protect-kernel-defaults argument is set to true Automated
4.2.7 Kubelet Ensure that the --make-iptables-util-chains argument is set to true Automated
4.2.8 Kubelet Ensure that the --hostname-override argument is not set Manual
4.2.9 Kubelet Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture Manual
5.1.1 RBAC and Service Accounts Ensure that the cluster-admin role is only used where required Manual
5.1.2 RBAC and Service Accounts Minimize access to secrets Manual
5.1.3 RBAC and Service Accounts Minimize wildcard use in Roles and ClusterRoles Manual
5.1.4 RBAC and Service Accounts Minimize access to create pods Manual
5.1.5 RBAC and Service Accounts Ensure that default service accounts are not actively used. Manual
5.1.6 RBAC and Service Accounts Ensure that Service Account Tokens are only mounted where necessary Manual
5.1.7 RBAC and Service Accounts Avoid use of system:masters group Manual
5.1.8 RBAC and Service Accounts Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster Manual
5.2.1 Pod Security Standards Ensure that the cluster has at least one active policy control mechanism in place Manual
5.2.10 Pod Security Standards Minimize the admission of containers with capabilities assigned Manual
5.2.11 Pod Security Standards Minimize the admission of Windows HostProcess Containers Manual
5.2.12 Pod Security Standards Minimize the admission of HostPath volumes Manual
5.2.13 Pod Security Standards Minimize the admission of containers which use HostPorts Manual
5.2.2 Pod Security Standards Minimize the admission of privileged containers Manual
5.2.3 Pod Security Standards Minimize the admission of containers wishing to share the host process ID namespace Automated
5.2.4 Pod Security Standards Minimize the admission of containers wishing to share the host IPC namespace Automated
5.2.5 Pod Security Standards Minimize the admission of containers wishing to share the host network namespace Automated
5.2.6 Pod Security Standards Minimize the admission of containers with allowPrivilegeEscalation Automated
5.2.7 Pod Security Standards Minimize the admission of root containers Automated
5.2.8 Pod Security Standards Minimize the admission of containers with the NET_RAW capability Automated
5.2.9 Pod Security Standards Minimize the admission of containers with added capabilities Automated
5.3.1 Network Policies and CNI Ensure that the CNI in use supports Network Policies Manual
5.3.2 Network Policies and CNI Ensure that all Namespaces have Network Policies defined Manual
5.4.1 Secrets Management Prefer using secrets as files over secrets as environment variables Manual
5.4.2 Secrets Management Consider external secret storage Manual
5.5.1 Extensible Admission Control Configure Image Provenance using ImagePolicyWebhook admission controller Manual
5.7.1 General Policies Create administrative boundaries between resources using namespaces Manual
5.7.2 General Policies Ensure that the seccomp profile is set to docker/default in your pod definitions Manual
5.7.3 General Policies Apply Security Context to Your Pods and Containers Manual
5.7.4 General Policies The default namespace should not be used Manual

EKS CIS Benchmark

31/52 implemented rules (60%)

Automated rules: 14/16 (88%)

Manual rules: 17/36 (47%)

Rule Number Section Description Status Type
2.1.1 Logging Enable audit Logs Manual
3.1.1 Worker Node Configuration Files Ensure that the kubeconfig file permissions are set to 644 or more restrictive Manual
3.1.2 Worker Node Configuration Files Ensure that the kubelet kubeconfig file ownership is set to root:root Manual
3.1.3 Worker Node Configuration Files Ensure that the kubelet configuration file has permissions set to 644 or more restrictive Manual
3.1.4 Worker Node Configuration Files Ensure that the kubelet configuration file ownership is set to root:root Manual
3.2.1 Kubelet Ensure that the --anonymous-auth argument is set to false Automated
3.2.10 Kubelet Ensure that the --rotate-certificates argument is not set to false Manual
3.2.11 Kubelet Ensure that the RotateKubeletServerCertificate argument is set to true Manual
3.2.2 Kubelet Ensure that the --authorization-mode argument is not set to AlwaysAllow Automated
3.2.3 Kubelet Ensure that the --client-ca-file argument is set as appropriate Manual
3.2.4 Kubelet Ensure that the --read-only-port is secured Manual
3.2.5 Kubelet Ensure that the --streaming-connection-idle-timeout argument is not set to 0 Manual
3.2.6 Kubelet Ensure that the --protect-kernel-defaults argument is set to true Automated
3.2.7 Kubelet Ensure that the --make-iptables-util-chains argument is set to true Automated
3.2.8 Kubelet Ensure that the --hostname-override argument is not set Manual
3.2.9 Kubelet Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture Automated
4.1.1 RBAC and Service Accounts Ensure that the cluster-admin role is only used where required Manual
4.1.2 RBAC and Service Accounts Minimize access to secrets Manual
4.1.3 RBAC and Service Accounts Minimize wildcard use in Roles and ClusterRoles Manual
4.1.4 RBAC and Service Accounts Minimize access to create pods Manual
4.1.5 RBAC and Service Accounts Ensure that default service accounts are not actively used. Manual
4.1.6 RBAC and Service Accounts Ensure that Service Account Tokens are only mounted where necessary Manual
4.2.1 Pod Security Policies Minimize the admission of privileged containers Automated
4.2.2 Pod Security Policies Minimize the admission of containers wishing to share the host process ID namespace Automated
4.2.3 Pod Security Policies Minimize the admission of containers wishing to share the host IPC namespace Automated
4.2.4 Pod Security Policies Minimize the admission of containers wishing to share the host network namespace Automated
4.2.5 Pod Security Policies Minimize the admission of containers with allowPrivilegeEscalation Automated
4.2.6 Pod Security Policies Minimize the admission of root containers Automated
4.2.7 Pod Security Policies Minimize the admission of containers with the NET_RAW capability Automated
4.2.8 Pod Security Policies Minimize the admission of containers with added capabilities Automated
4.2.9 Pod Security Policies Minimize the admission of containers with capabilities assigned Manual
4.3.1 CNI Plugin Ensure latest CNI version is used Manual
4.3.2 CNI Plugin Ensure that all Namespaces have Network Policies defined Automated
4.4.1 Secrets Management Prefer using secrets as files over secrets as environment variables Manual
4.4.2 Secrets Management Consider external secret storage Manual
4.5.1 Extensible Admission Control Configure Image Provenance using ImagePolicyWebhook admission controller Manual
4.6.1 General Policies Create administrative boundaries between resources using namespaces Manual
4.6.2 General Policies Apply Security Context to Your Pods and Containers Manual
4.6.3 General Policies The default namespace should not be used Automated
5.1.1 Image Registry and Image Scanning Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider Manual
5.1.2 Image Registry and Image Scanning Minimize user access to Amazon ECR Manual
5.1.3 Image Registry and Image Scanning Minimize cluster access to read-only for Amazon ECR Manual
5.1.4 Image Registry and Image Scanning Minimize Container Registries to only those approved Manual
5.2.1 Identity and Access Management (IAM) Prefer using dedicated EKS Service Accounts Manual
5.3.1 AWS Key Management Service (KMS) Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS Automated
5.4.1 Cluster Networking Restrict Access to the Control Plane Endpoint Manual
5.4.2 Cluster Networking Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled Manual
5.4.3 Cluster Networking Ensure clusters are created with Private Nodes Manual
5.4.4 Cluster Networking Ensure Network Policy is Enabled and set as appropriate Manual
5.4.5 Cluster Networking Encrypt traffic to HTTPS load balancers with TLS certificates Manual
5.5.1 Authentication and Authorization Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes Manual
5.6.1 Other Cluster Configurations Consider Fargate for running untrusted workloads Manual

AWS CIS Benchmark

16/63 implemented rules (25%)

Automated rules: 16/55 (29%)

Manual rules: 0/8 (0%)

Rule Number Section Description Status Type
1.1 Identity and Access Management Maintain current contact details Manual
1.10 Identity and Access Management Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password Automated
1.11 Identity and Access Management Do not setup access keys during initial user setup for all IAM users that have a console password Automated
1.12 Identity and Access Management Ensure credentials unused for 45 days or greater are disabled Automated
1.13 Identity and Access Management Ensure there is only one active access key available for any single IAM user Automated
1.14 Identity and Access Management Ensure access keys are rotated every 90 days or less Automated
1.15 Identity and Access Management Ensure IAM Users Receive Permissions Only Through Groups Automated
1.16 Identity and Access Management Ensure IAM policies that allow full ":" administrative privileges are not attached Automated
1.17 Identity and Access Management Ensure a support role has been created to manage incidents with AWS Support Automated
1.18 Identity and Access Management Ensure IAM instance roles are used for AWS resource access from instances Manual
1.19 Identity and Access Management Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed Automated
1.2 Identity and Access Management Ensure security contact information is registered Manual
1.20 Identity and Access Management Ensure that IAM Access analyzer is enabled for all regions Automated
1.21 Identity and Access Management Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments Manual
1.3 Identity and Access Management Ensure security questions are registered in the AWS account Manual
1.4 Identity and Access Management Ensure no 'root' user account access key exists Automated
1.5 Identity and Access Management Ensure MFA is enabled for the 'root' user account Automated
1.6 Identity and Access Management Ensure hardware MFA is enabled for the 'root' user account Automated
1.7 Identity and Access Management Eliminate use of the 'root' user for administrative and daily tasks Automated
1.8 Identity and Access Management Ensure IAM password policy requires minimum length of 14 or greater Automated
1.9 Identity and Access Management Ensure IAM password policy prevents password reuse Automated
2.1.1 Simple Storage Service (S3) Ensure all S3 buckets employ encryption-at-rest Automated
2.1.2 Simple Storage Service (S3) Ensure S3 Bucket Policy is set to deny HTTP requests Automated
2.1.3 Simple Storage Service (S3) Ensure MFA Delete is enabled on S3 buckets Automated
2.1.4 Simple Storage Service (S3) Ensure all data in Amazon S3 has been discovered, classified and secured when required. Manual
2.1.5 Simple Storage Service (S3) Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' Automated
2.2.1 Elastic Compute Cloud (EC2) Ensure EBS Volume Encryption is Enabled in all Regions Automated
2.3.1 Relational Database Service (RDS) Ensure that encryption is enabled for RDS Instances Automated
2.3.2 Relational Database Service (RDS) Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances Automated
2.3.3 Relational Database Service (RDS) Ensure that public access is not given to RDS Instance Automated
2.4.1 Elastic File System (EFS) Ensure that encryption is enabled for EFS file systems Manual
3.1 Logging Ensure CloudTrail is enabled in all regions Automated
3.10 Logging Ensure that Object-level logging for write events is enabled for S3 bucket Automated
3.11 Logging Ensure that Object-level logging for read events is enabled for S3 bucket Automated
3.2 Logging Ensure CloudTrail log file validation is enabled Automated
3.3 Logging Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible Automated
3.4 Logging Ensure CloudTrail trails are integrated with CloudWatch Logs Automated
3.5 Logging Ensure AWS Config is enabled in all regions Automated
3.6 Logging Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket Automated
3.7 Logging Ensure CloudTrail logs are encrypted at rest using KMS CMKs Automated
3.8 Logging Ensure rotation for customer created symmetric CMKs is enabled Automated
3.9 Logging Ensure VPC flow logging is enabled in all VPCs Automated
4.1 Monitoring Ensure a log metric filter and alarm exist for unauthorized API calls Automated
4.10 Monitoring Ensure a log metric filter and alarm exist for security group changes Automated
4.11 Monitoring Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) Automated
4.12 Monitoring Ensure a log metric filter and alarm exist for changes to network gateways Automated
4.13 Monitoring Ensure a log metric filter and alarm exist for route table changes Automated
4.14 Monitoring Ensure a log metric filter and alarm exist for VPC changes Automated
4.15 Monitoring Ensure a log metric filter and alarm exists for AWS Organizations changes Automated
4.16 Monitoring Ensure AWS Security Hub is enabled Automated
4.2 Monitoring Ensure a log metric filter and alarm exist for Management Console sign-in without MFA Automated
4.3 Monitoring Ensure a log metric filter and alarm exist for usage of 'root' account Automated
4.4 Monitoring Ensure a log metric filter and alarm exist for IAM policy changes Automated
4.5 Monitoring Ensure a log metric filter and alarm exist for CloudTrail configuration changes Automated
4.6 Monitoring Ensure a log metric filter and alarm exist for AWS Management Console authentication failures Automated
4.7 Monitoring Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs Automated
4.8 Monitoring Ensure a log metric filter and alarm exist for S3 bucket policy changes Automated
4.9 Monitoring Ensure a log metric filter and alarm exist for AWS Config configuration changes Automated
5.1 Networking Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports Automated
5.2 Networking Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports Automated
5.3 Networking Ensure no security groups allow ingress from ::/0 to remote server administration ports Automated
5.4 Networking Ensure the default security group of every VPC restricts all traffic Automated
5.5 Networking Ensure routing tables for VPC peering are "least access" Manual