added eks-1.0 cfg and modified job-eks.yaml for node checks (#639)

* added eks-1.0 cfg and modified job-eks.yaml for node checks * fixed yamllint errors and README updates
aquasecurity · Jul 10, 2020 · 20ec5d1 · 20ec5d1
1 parent 3e6a41a
commit 20ec5d1
Show file tree

Hide file tree

Showing 8 changed files with 754 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -58,6 +58,7 @@ kube-bench supports the tests for Kubernetes as defined in the [CIS Kubernetes B
 | [1.4.1](https://workbench.cisecurity.org/benchmarks/2351) | cis-1.4 | 1.13-1.14 |
 | [1.5.0](https://workbench.cisecurity.org/benchmarks/1370) | cis-1.5 | 1.15- |
 | [GKE 1.0.0](https://workbench.cisecurity.org/benchmarks/4536) | gke-1.0 | GKE |
+| [EKS 1.0.0](https://workbench.cisecurity.org/benchmarks/5190) | eks-1.0 | EKS |
 | Red Hat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 | 
 
 By default, kube-bench will determine the test set to run based on the Kubernetes version running on the machine, but please note that kube-bench does not automatically detect OpenShift and GKE - see the section below on [Running kube-bench](https://github.com/aquasecurity/kube-bench#running-kube-bench). 
@@ -120,6 +121,7 @@ The following table shows the valid targets based on the CIS Benchmark version.
 | cis-1.4| master, node |
 | cis-1.5| master, controlplane, node, etcd, policies |
 | gke-1.0| master, controlplane, node, etcd, policies, managedservices |
+| eks-1.0| node, policies, managedservices |
 
 If no targets are specified, `kube-bench` will determine the appropriate targets based on the CIS Benchmark version.
 

diff --git a/cfg/eks-1.0/config.yaml b/cfg/eks-1.0/config.yaml
@@ -0,0 +1,2 @@
+---
+## Version-specific settings that override the values in cfg/config.yaml
diff --git a/cfg/eks-1.0/controlplane.yaml b/cfg/eks-1.0/controlplane.yaml
@@ -0,0 +1,14 @@
+---
+controls:
+version: "eks-1.0"
+id: 2
+text: "Control Plane Configuration"
+type: "controlplane"
+groups:
+  - id: 2.1
+    text: "Logging"
+    checks:
+      - id: 2.1.1
+        text: "Enable audit logs"
+        remediation: "Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler."
+        scored: false
diff --git a/cfg/eks-1.0/managedservices.yaml b/cfg/eks-1.0/managedservices.yaml
@@ -0,0 +1,104 @@
+---
+controls:
+version: "eks-1.0"
+id: 5
+text: "Managed Services"
+type: "managedservices"
+groups:
+  - id: 5.1
+    text: "Image Registry and Image Scanning"
+    checks:
+      - id: 5.1.1
+        text: "Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third-party provider (Not Scored)"
+        type: "manual"
+        remediation:
+        scored: false
+
+      - id: 5.1.2
+        text: "Minimize user access to Amazon ECR (Not Scored)"
+        type: "manual"
+        remediation:
+        scored: false
+
+      - id: 5.1.3
+        text: "Minimize cluster access to read-only for Amazon ECR (Not Scored)"
+        type: "manual"
+        remediation:
+        scored: false
+
+      - id: 5.1.4
+        text: "Minimize Container Registries to only those approved (Not Scored)"
+        type: "manual"
+        remediation:
+        scored: false
+
+  - id: 5.2
+    text: "Identity and Access Management (IAM)"
+    checks:
+      - id: 5.2.1
+        text: "Prefer using dedicated Amazon EKS Service Accounts (Not Scored)"
+        type: "manual"
+        remediation:
+        scored: false
+
+  - id: 5.3
+    text: "AWS Key Management Service (AWS KMS)"
+    checks:
+      - id: 5.3.1
+        text: "Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS (Not Scored)"
+        type: "manual"
+        remediation:
+        scored: false
+
+  - id: 5.4
+    text: "Cluster Networking"
+    checks:
+      - id: 5.4.1
+        text: "Restrict Access to the Control Plane Endpoint (Not Scored)"
+        type: "manual"
+        remediation:
+        scored: false
+
+      - id: 5.4.2
+        text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Not Scored)"
+        type: "manual"
+        remediation:
+        scored: false
+
+      - id: 5.4.3
+        text: "Ensure clusters are created with Private Nodes (Not Scored)"
+        type: "manual"
+        remediation:
+        scored: false
+
+      - id: 5.4.4
+        text: "Ensure Network Policy is Enabled and set as appropriate (Not Scored)"
+        type: "manual"
+        remediation:
+        scored: false
+
+      - id: 5.4.5
+        text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Not Scored)"
+        type: "manual"
+        remediation:
+        scored: false
+
+
+  - id: 5.5
+    text: "Authentication and Authorization"
+    checks:
+      - id: 5.5.1
+        text: "Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes (Not Scored)"
+        type: "manual"
+        remediation:
+        scored: false
+
+
+  - id: 5.6
+    text: "Other Cluster Configurations"
+    checks:
+      - id: 5.6.1
+        text: "Consider Fargate for running untrusted workloads (Not Scored)"
+        type: "manual"
+        remediation:
+        scored: false
diff --git a/cfg/eks-1.0/master.yaml b/cfg/eks-1.0/master.yaml
@@ -0,0 +1,6 @@
+---
+controls:
+version: "eks-1.0"
+id: 1
+text: "Control Plane Components"
+type: "master"