[EKS] [request]: Automated EKS CIS benchmarking of nodes

[brettcave]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Assessing compliance of EKS CIS standards into standard AWS security services Having a overall view of infrastructure configuration from a security perspective in a single place is valuable. kube-bench scores compliance of EKS configuration against the EKS CIS standard. However, running the eks benchmark against EKS deployments is manual and not available through an AWS managed component. It would be great if CIS EKS could be executed and findings / results reflected back into security monitoring services - Security Hub provides a great place to aggregate findings from various systems in a single service.

Which service(s) is this request for? EKS (and Fargate?)

[tabern]

Update - we're considering solving this in 2021 using AWS Config. More details to come.

[jihed]

Also, SecurityHub supports kube-bench: https://aws.amazon.com/about-aws/whats-new/2020/12/aws-security-hub-adds-open-source-tool-integration-with-kube-bench-and-cloud-custodian/?nc1=h_ls

[gmarchand]

Hello @tabern any update since 2021 ?

[joebowbeer]

The current CIS EKS benchmark recommends running bottlerocket, and bottlerocket supports something along these lines:

https://github.com/bottlerocket-os/bottlerocket/issues/2731

[maiconrocha]

Please refer to the solution I developed to address these long-standing customer requests:

https://github.com/awslabs/security-hardened-amis-for-eks

This project provides a fully automated solution to create security-hardened Amazon EKS AMIs that comply with either CIS Level 1 or Level 2 standards.