Analyze vulnerabilities in Amazon EKS
Security is a critical consideration for configuring and maintaining Kubernetes clusters and applications. The following lists resources for you to analyze the security configuration of your EKS clusters, resources for you to check for vulnerabilities, and integrations with AWS services that can do that analysis for you.
The Center for Internet Security (CIS) benchmark for Amazon EKS
The Center for Internet Security (CIS) Kubernetes Benchmark
-
Is applicable to Amazon EC2 nodes (both managed and self-managed) where you are responsible for security configurations of Kubernetes components.
-
Provides a standard, community-approved way to ensure that you have configured your Kubernetes cluster and nodes securely when using Amazon EKS.
-
Consists of four sections; control plane logging configuration, node security configurations, policies, and managed services.
-
Supports all of the Kubernetes versions currently available in Amazon EKS and can be run using kube-bench
, a standard open source tool for checking configuration using the CIS benchmark on Kubernetes clusters.
To learn more, see Introducing The CIS Amazon EKS Benchmark
Amazon EKS platform versions
Amazon EKS platform versions represent the capabilities of the cluster control plane, including which Kubernetes API server flags are enabled and the current Kubernetes patch version. New clusters are deployed with the latest platform version. For details, see View Amazon EKS platform versions for each Kubernetes version.
You can update an Amazon EKS cluster to newer Kubernetes versions. As new Kubernetes versions become available in Amazon EKS, we recommend that you proactively update your clusters to use the latest available version. For more information about Kubernetes versions in EKS, see Understand the Kubernetes version lifecycle on EKS.
Operating system vulnerability list
AL2023 vulnerability list
Track security or privacy events for Amazon Linux 2023 at the Amazon Linux Security Center
Amazon Linux 2 vulnerability list
Track security or privacy events for Amazon Linux 2 at the Amazon Linux Security Center
Node detection with Amazon Inspector
You can use Amazon Inspector to check for unintended network accessibility of your nodes and for vulnerabilities on those Amazon EC2 instances.
Cluster and node detection with Amazon GuardDuty
Amazon GuardDuty threat detection service that helps protect your accounts, containers, workloads, and the data within your AWS environment. Among other features, GuardDuty offers the following two features that detect potential threats to your EKS clusters: EKS Protection and Runtime Monitoring.
For more information, see Detect threats with Amazon GuardDuty.