amazon-eks-ami icon indicating copy to clipboard operation
amazon-eks-ami copied to clipboard

Can we implement EKS-AMI hardening?

Open khetanvallurupalli opened this issue 5 years ago • 23 comments

As per Our Infosec team, Every server should be using Hardened AMI according to there policies. While we do the same for EKS AMI worker nodes are terminated before starting. Any suggestions?

khetanvallurupalli avatar Apr 10 '19 19:04 khetanvallurupalli

Did you check why?

rickard-von-essen avatar Apr 10 '19 20:04 rickard-von-essen

As there AMI has passed the CIS benchmark test. with some agents like Splunk and TrendMicro are Baked into it. As we scanned the Base EKS AMI for CIS benchmarks it got 58%. So we need to go with EKS-AMI hardening where it fails to launch a worker node.

khetanvallurupalli avatar Apr 11 '19 14:04 khetanvallurupalli

@khetanvallurupalli We have an issue (#99) for CIS benchmarks, would that cover your use case or are there additional changes?

micahhausler avatar Apr 11 '19 16:04 micahhausler

it may not be accurate... but I believe there's sort of 2 levels here. Linux ami hardening, and then kube hardening. Both with separate benchmarks from CIS.

pthrasher avatar Sep 07 '19 16:09 pthrasher

@pthrasher I believe you are correct:

Kubenetes hardening: CIS_Kubernetes_Benchmark_v1.4.1.pdf AMI Hardening: CIS_Amazon_Linux_Benchmark_v2.1.0.pdf

There is no specific and official CIS hardened AMI for EKS that I can find. If anyone else can please point us.

burnertoday avatar Sep 19 '19 15:09 burnertoday

Hi everyone, Looking for some direction here. Is this on AWS' roadmap? I'm currently looking at trying to harden the AMI myself (specifically the linux AMI hardening) but if the work is already being done then that's great. Otherwise, I'm willing to open a PR but I would like some direction the preferred approach.

hawkesn avatar Oct 04 '19 17:10 hawkesn

Looking for aws hardened image, what are the options available currently.

yatintaluja avatar Oct 10 '19 16:10 yatintaluja

Looking for aws hardened image, what are the options available currently.

Nothing official from AWS that I can find, but there are python/ansible scripts that you can search up on Github that are unofficial

hawkesn avatar Oct 11 '19 15:10 hawkesn

Does anyone has an idea what the status is of this issue? Are there plans to provide hardened images for EKS?

KYannick avatar Apr 24 '20 09:04 KYannick

I am surprised this receives so little attention.

peteroruba avatar Oct 01 '20 07:10 peteroruba

team, is there any update on this ? is AWS planing to provide a CIS AL2 hardened EKS AMI's which can be used as a part of the cluster node group ?

Gangaram-Dewasi avatar Nov 25 '20 13:11 Gangaram-Dewasi

In case it helps, this official repo has packer scripts to create custom hardened amis.

shazinahmed avatar Jan 26 '21 01:01 shazinahmed

@mmerkes @abeer91 @heybronson is there any way to get AWS feedback on this?

pierluigilenoci avatar Jan 26 '21 09:01 pierluigilenoci

@pierluigilenoci I'll discuss this with my team and post an update here soon.

mmerkes avatar Jan 26 '21 17:01 mmerkes

@mmerkes today I read this. https://aws.amazon.com/blogs/containers/introducing-cis-amazon-eks-benchmark/ So is it solved?

FYI @burnertoday

pierluigilenoci avatar Jan 27 '21 16:01 pierluigilenoci

@pierluigilenoci that blog post is about the CIS benchmark for EKS, not about the CIS benchmark for amazonlinux.

KYannick avatar Jan 28 '21 09:01 KYannick

Amazon can you please provide an "official" response on support for EKS Worker CIS OS Benchmark hardening. This is a pain point for many AWS customers. I find it particularly painful since AWS Inspector fails Amazon Linux II for the CIS OS Benchmark. Everyday organizations are demanding secure by default and not something we should have to jump through hoops to make work. All we want is EKS to be secure by default or at least have an option to turn on a more secure implementation.

mschenk42 avatar Nov 28 '21 23:11 mschenk42

is there any update on this, getting alot of customer requests for CIS level 1 for EKS, there seems to be nothing on this.

MattTunny avatar Jan 13 '22 22:01 MattTunny

any update on this one? I agree with the fact that we're all looking for "secure by default" solution to this hardening issue.

zachfeld avatar Jul 20 '22 13:07 zachfeld

/push any news on the issue? At least an official response would be helpful.

blaargh avatar May 12 '23 07:05 blaargh

I tried my lock with Image builder and CIS benchmark. it wasn't a successful try!

hoomaan-kh avatar Sep 06 '23 10:09 hoomaan-kh

Please note Bottlerocket AMI is now CIS hardened out of the box 🎉

Amazon Web Services’s Bottlerocket has been certified by the Center for Internet Security® (CIS®) to ship secure as hardened to CIS Bottlerocket Benchmark v1.0.0. Organizations that leverage Bottlerocket can now be assured that it will successfully run on a CIS hardened environment. https://aws.amazon.com/bottlerocket/

Please note AWS Inspector Center for Internet Security (CIS) Benchmarks reports does not support Bottlerocket yet as per https://docs.aws.amazon.com/inspector/v1/userguide/inspector_cis.html So in order to run CIS reports on Bottlerocket you need to follow https://github.com/bottlerocket-os/bottlerocket/blob/develop/sources/api/apiclient/README.md#bottlerocket-cis-benchmark-report

maiconrocha avatar Mar 14 '24 00:03 maiconrocha