Can we implement EKS-AMI hardening?

[khetanvallurupalli]

As per Our Infosec team, Every server should be using Hardened AMI according to there policies. While we do the same for EKS AMI worker nodes are terminated before starting. Any suggestions?

[rickard-von-essen]

Did you check why?

[khetanvallurupalli]

As there AMI has passed the CIS benchmark test. with some agents like Splunk and TrendMicro are Baked into it. As we scanned the Base EKS AMI for CIS benchmarks it got 58%. So we need to go with EKS-AMI hardening where it fails to launch a worker node.

[micahhausler]

@khetanvallurupalli We have an issue (#99) for CIS benchmarks, would that cover your use case or are there additional changes?

[pthrasher]

it may not be accurate... but I believe there's sort of 2 levels here. Linux ami hardening, and then kube hardening. Both with separate benchmarks from CIS.

[burnertoday]

@pthrasher I believe you are correct:

Kubenetes hardening: CIS_Kubernetes_Benchmark_v1.4.1.pdf AMI Hardening: CIS_Amazon_Linux_Benchmark_v2.1.0.pdf

There is no specific and official CIS hardened AMI for EKS that I can find. If anyone else can please point us.

[hawkesn]

Hi everyone, Looking for some direction here. Is this on AWS' roadmap? I'm currently looking at trying to harden the AMI myself (specifically the linux AMI hardening) but if the work is already being done then that's great. Otherwise, I'm willing to open a PR but I would like some direction the preferred approach.

[yatintaluja]

Looking for aws hardened image, what are the options available currently.

[hawkesn]

Looking for aws hardened image, what are the options available currently.

Nothing official from AWS that I can find, but there are python/ansible scripts that you can search up on Github that are unofficial

[KYannick]

Does anyone has an idea what the status is of this issue? Are there plans to provide hardened images for EKS?

[peteroruba]

I am surprised this receives so little attention.

[Gangaram-Dewasi]

team, is there any update on this ? is AWS planing to provide a CIS AL2 hardened EKS AMI's which can be used as a part of the cluster node group ?

[shazinahmed]

In case it helps, this official repo has packer scripts to create custom hardened amis.

[pierluigilenoci]

@mmerkes @abeer91 @heybronson is there any way to get AWS feedback on this?

[mmerkes]

@pierluigilenoci I'll discuss this with my team and post an update here soon.

[pierluigilenoci]

@mmerkes today I read this. https://aws.amazon.com/blogs/containers/introducing-cis-amazon-eks-benchmark/ So is it solved?

FYI @burnertoday

[KYannick]

@pierluigilenoci that blog post is about the CIS benchmark for EKS, not about the CIS benchmark for amazonlinux.

[mschenk42]

Amazon can you please provide an "official" response on support for EKS Worker CIS OS Benchmark hardening. This is a pain point for many AWS customers. I find it particularly painful since AWS Inspector fails Amazon Linux II for the CIS OS Benchmark. Everyday organizations are demanding secure by default and not something we should have to jump through hoops to make work. All we want is EKS to be secure by default or at least have an option to turn on a more secure implementation.

[MattTunny]

is there any update on this, getting alot of customer requests for CIS level 1 for EKS, there seems to be nothing on this.

[zachfeld]

any update on this one? I agree with the fact that we're all looking for "secure by default" solution to this hardening issue.

[blaargh]

/push any news on the issue? At least an official response would be helpful.

[hans-zand]

I tried my lock with Image builder and CIS benchmark. it wasn't a successful try!

[maiconrocha]

Please note Bottlerocket AMI is now CIS hardened out of the box 🎉

Amazon Web Services’s Bottlerocket has been certified by the Center for Internet Security® (CIS®) to ship secure as hardened to CIS Bottlerocket Benchmark v1.0.0. Organizations that leverage Bottlerocket can now be assured that it will successfully run on a CIS hardened environment. https://aws.amazon.com/bottlerocket/

Please note AWS Inspector Center for Internet Security (CIS) Benchmarks reports does not support Bottlerocket yet as per https://docs.aws.amazon.com/inspector/v1/userguide/inspector_cis.html So in order to run CIS reports on Bottlerocket you need to follow https://github.com/bottlerocket-os/bottlerocket/blob/develop/sources/api/apiclient/README.md#bottlerocket-cis-benchmark-report

[maiconrocha]

Steps for Building Amazon Linux 2 CIS Benchmark AMIs for Amazon EKS((Level 1 and 2) are available here: https://catalog.workshops.aws/eks-security-immersionday/en-US/10-regulatory-compliance/cis-al2-eks

Specifically about the FAILED/SKIPPED checks, it has been addressed here: https://catalog.workshops.aws/eks-security-immersionday/en-US/10-regulatory-compliance/cis-al2-eks/validate-al2-cis-ami

There is a section on the bottom for "#cis-scan-results-and-exceptions-for-failed-controls" and explanation for checks that if addressed can provide Potential Operation Impact = Recommendation wasn't applied because it would have a negative effect on the service.