AWS-031 Amazon Web Services (AWS)

EKS clusters log control-plane and restrict public API endpoint.

EKS clusters log control-plane and restrict public API endpoint.

Domain
Amazon Web Services (AWS)
Area
Serverless / Containers
Automated / manual
Automated

Risk if it fails

Open clusters allow takeover of workloads.

An exposed Kubernetes API with weak controls lets attackers schedule their own malicious containers, steal secrets and pivot across every app in the cluster.

How Tess tests it

1 test — each concludes only on cited evidence.

EKS clusters log control-plane and restrict public API endpoint.

Automated
Procedure
Confirm logging types enabled and endpointPublicAccess scoped.

Read-only command 

aws eks describe-cluster --name <cluster> --query 'cluster.{Log:logging,Endpoint:resourcesVpcConfig}'

More in Amazon Web Services (AWS)

AWS-001 Root account MFA is enabled. AWS-002 No access keys exist on the root account. AWS-003 Root account is not used for day-to-day activity. AWS-004 Strong IAM password policy is enforced.

Want Tess to test AWS-031 against your evidence?

Book a demo