CIS Benchmarks are a globally recognized best practice for securing IT systems and data. CIS offers a specific benchmark for configuring Kubernetes (K8s) securely. Within Vanta, you can automate the tests specific to AWS K8s. These tests work like all of Vanta’s other automated tests, continuously checking against your integrated tool (AWS in this instance) and the CIS benchmark, alerting you when items need attention along the way.
Core CIS Amazon EKS Benchmarks Tests
- EKSClusters have audit logs enabled
- Cluster control plane endpoint public access is restricted
- Cluster control plane endpoint private access is enabled
- Cluster has a security group
Additional tests are available on Vanta's Collaborate & Scale packages
Complete Test set for CIS Benchmark for AWS EKS
- EKSClusters have audit logs enabled
- Cluster control plane endpoint public access is restricted
- Cluster control plane endpoint private access is enabled
- Cluster has a security group
- Roles rules definitions are restricted to certain verbs and resources
- Kubernetes nodes have anonymous request to the Kubelet server disabled
- Kubernetes nodes have explicit authorization mode
- Kubernetes nodes have client CA File configured
- Kubernetes nodes follow a certificate rotation policy
- Kubernetes nodes have timeouts on streaming connections enabled
- Kubernetes nodes allow kubelet to manage iptables
- Nodes have appropriate logging event capture settings
Complete Test set for CIS Benchmark for GCP GKE
- Ensure Image Vulnerability Scanning is enabled
- Ensure GKE clusters are not running using the Compute Engine default service account
- Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS
- Ensure legacy Compute Engine instance metadata APIs are Disabled
- Ensure the GKE Metadata Server is Enabled
- Ensure Container-Optimized OS (cos_containerd) is used for GKE node images
- Ensure Node Auto-Repair is enabled for GKE nodes
- Ensure Node Auto-Upgrade is enabled for GKE nodes
- Ensure Shielded GKE Nodes are Enabled
- Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled
- Ensure Secure Boot for Shielded GKE Nodes is Enabled
- Enable VPC Flow Logs and Intranode Visibility
- Ensure use of VPC-native clusters
- Ensure Control Plane Authorized Networks is Enabled
- Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled
- Ensure clusters are created with Private Nodes
- Ensure Network Policy is Enabled and set as appropriate
- Ensure Logging and Cloud Monitoring is Enabled
- Ensure authentication using Client Certificates is Disabled
- Ensure Legacy Authorization (ABAC) is Disabled
- Ensure Kubernetes Web UI is Disabled
- Ensure that Alpha clusters are not used for production workloads**
- Ensure use of Binary Authorization
Complete Test set for CIS Benchmark for Azure AKS
- Ensure that the --anonymous-auth argument is set to false
- Ensure that the --authorization-mode argument is not set to AlwaysAllow
- Ensure that the --client-ca-file argument is set as appropriate
- Ensure that the --streaming-connection-idle-timeout argument is not set to 0
- Ensure that the --make-iptables-util-chains argument is set to true
- Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture
- Ensure that the --rotate-certificates argument is not set to false