CIS Benchmark Tests for Kubernetes

  • Updated

CIS Benchmarks are a globally recognized best practice for securing IT systems and data. CIS offers a specific benchmark for configuring Kubernetes (K8s) securely. Within Vanta, you can automate the tests specific to AWS K8s. These tests work like all of Vanta’s other automated tests, continuously checking against your integrated tool (AWS in this instance) and the CIS benchmark, alerting you when items need attention along the way.

 

Core CIS Amazon EKS Benchmarks Tests

  • EKSClusters have audit logs enabled
  • Cluster control plane endpoint public access is restricted
  • Cluster control plane endpoint private access is enabled 
  • Cluster has a security group  
Additional tests are available on Vanta's Collaborate & Scale packages 

 

 

Complete Test set for CIS Benchmark for AWS EKS

For more information about plan types and capabilities, see Vanta's pricing page

  • EKSClusters have audit logs enabled
  • Cluster control plane endpoint public access is restricted
  • Cluster control plane endpoint private access is enabled 
  • Cluster has a security group
  • Roles rules definitions are restricted to certain verbs and resources
  • Kubernetes nodes have anonymous request to the Kubelet server disabled
  • Kubernetes nodes have explicit authorization mode
  • Kubernetes nodes have client CA File configured
  • Kubernetes nodes follow a certificate rotation policy 
  • Kubernetes nodes have timeouts on streaming connections enabled 
  • Kubernetes nodes allow kubelet to manage iptables 
  • Nodes have appropriate logging event capture settings