mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-16 04:49:19 +00:00
6589eb16e1
* Update eks-1.0 to support CIS EKS Benchmark v1.0.1 * add "No remediation" * rename eks-1.0 to eks-1.0.1 Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
105 lines
2.9 KiB
YAML
105 lines
2.9 KiB
YAML
---
|
|
controls:
|
|
version: "eks-1.0.1"
|
|
id: 5
|
|
text: "Managed Services"
|
|
type: "managedservices"
|
|
groups:
|
|
- id: 5.1
|
|
text: "Image Registry and Image Scanning"
|
|
checks:
|
|
- id: 5.1.1
|
|
text: "Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third-party provider (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|
|
|
|
- id: 5.1.2
|
|
text: "Minimize user access to Amazon ECR (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|
|
|
|
- id: 5.1.3
|
|
text: "Minimize cluster access to read-only for Amazon ECR (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|
|
|
|
- id: 5.1.4
|
|
text: "Minimize Container Registries to only those approved (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|
|
|
|
- id: 5.2
|
|
text: "Identity and Access Management (IAM)"
|
|
checks:
|
|
- id: 5.2.1
|
|
text: "Prefer using dedicated Amazon EKS Service Accounts (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|
|
|
|
- id: 5.3
|
|
text: "AWS Key Management Service (KMS)"
|
|
checks:
|
|
- id: 5.3.1
|
|
text: "Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|
|
|
|
- id: 5.4
|
|
text: "Cluster Networking"
|
|
checks:
|
|
- id: 5.4.1
|
|
text: "Restrict Access to the Control Plane Endpoint (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|
|
|
|
- id: 5.4.2
|
|
text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|
|
|
|
- id: 5.4.3
|
|
text: "Ensure clusters are created with Private Nodes (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|
|
|
|
- id: 5.4.4
|
|
text: "Ensure Network Policy is Enabled and set as appropriate (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|
|
|
|
- id: 5.4.5
|
|
text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|
|
|
|
|
|
- id: 5.5
|
|
text: "Authentication and Authorization"
|
|
checks:
|
|
- id: 5.5.1
|
|
text: "Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|
|
|
|
|
|
- id: 5.6
|
|
text: "Other Cluster Configurations"
|
|
checks:
|
|
- id: 5.6.1
|
|
text: "Consider Fargate for running untrusted workloads (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|