Skip to content
Log In

CIS Amazon Elastic Kubernetes Service Benchmark - Platform

Rules and Groups employed by this XCCDF Profile

  • Kubernetes Settings

    Each section of this configuration guide includes information about the configuration of a Kubernetes cluster and a set of recommendations for hardening the configuration. For each hardening recomm...
    Group
    Show

  • Kubernetes - Account and Access Control

    In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which that account has access. The same idea applies to...
    Group
    Show

  • Use Dedicated Service Accounts

    Kubernetes workloads should not use cluster node service accounts to authenticate to Amazon EKS APIs. Each Kubernetes workload that needs to authenticate to other AWS services using AWS IAM should ...
    Rule Unknown Severity
    Show

  • Authentication

    In cloud workloads, there are many ways to create and configure to multiple authentication services. Some of these authentication methods by not be secure or common methodologies, or they may not b...
    Group
    Show

  • Manage Users with AWS IAM

    Amazon EKS uses IAM to provide authentication to your Kubernetes cluster through the AWS IAM Authenticator for Kubernetes. You can configure the stock kubectl client to work with Amazon EKS by inst...
    Rule Unknown Severity
    Show

  • Kubernetes - General Security Practices

    Contains evaluations for general security practices for operating a Kubernetes environment.
    Group
    Show

  • Consider Fargate for Untrusted Workloads

    It is Best Practice to restrict or fence untrusted workloads when running in a multi-tenant environment.
    Rule Unknown Severity
    Show

  • Kubernetes Kubelet Settings

    The Kubernetes Kubelet is an agent that runs on each node in the cluster. It makes sure that containers are running in a pod. The kubelet takes a set of PodSpecs that are provided through various ...
    Group
    Show

  • kubelet - Configure the Client CA Certificate

    By default, the kubelet is not configured with a CA certificate which can subject the kubelet to man-in-the-middle attacks. To configure a client CA certificate, edit the kubelet configuration fil...
    Rule Medium Severity
    Show

  • kubelet - Ensure that the --read-only-port is secured

    Disable the read-only port.
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules