How to Disable Public Access on Your AWS EKS Cluster

Learn how to secure your AWS EKS cluster by disabling public access to the Kubernetes API server endpoint using AWS Console or CLI.

Patrick Londa

Author

Jan 28, 2023

•

min read

Share this post

By default, when you create a new AWS EKS cluster, Amazon EKS creates an endpoint for your cluster’s Kubernetes API server that is publicly-accessible.

While you can secure your API server access with AWS IAM and Kubernetes RBAC permissions, you still might not want to have the endpoint public to the internet.

If you disable public access, you will keep the communication between nodes and the API server within your virtual private network.

In this guide, we’ll show how to check if an EKS cluster is publicly-accessible and then the steps you can take to make the API server endpoint private.

Blink Automation: Ensure EKS Cluster Endpoints Prohibit Public Access

Blink + AWS

Try This Automation

Checking if Public Access is Enabled for an AWS EKS Cluster

Before making updates, you can use the AWS console or AWS CLI to review your clusters to see if their endpoint has public access enabled.

Using the AWS Console:

Here is how to see if your EKS cluster has public access using AWS Console:

1. Open the AWS Management Console and navigate to the EKS Dashboard.

2. From the left panel, choose Clusters under the Amazon EKS.

3. Choose the name of the EKS cluster, the details of which you want to see and use to access the resource configuration settings.

4. Select the Networking tab on your chosen cluster settings page.

5. If the endpoint public access configuration shows a true value and the public access source allowlist value displays "0.0.0.0/0," then your Amazon EKS cluster endpoint is publicly-accessible.

Using the AWS CLI:

Here is how to see if your EKS cluster has public access using AWS CLI:

1. Run the CLI command list-clusters using query filters to show all clusters listed in your region.

aws eks list-clusters
    --region us-east-2
    --output table
    --query 'my-clusters'

The output will show a table of cluster identifiers like this:

-------------------------
|     ListClusters      |
+-----------------------+
|  cc-eks-app-mobile    |
|  cc-eks-stack-kube    |
+-----------------------+

2. Next, you can run the describe-cluster command using these EKS cluster names. You can also use custom query filters describing Kubernetes server endpoint access configuration and allowlist values for public access.

aws eks describe-cluster
    --region us-east-2
    --name cc-eks-app-mobile
    --query 'mycluster.resourcesVpcConfig.{endpointPrivateAccess: endpointPrivateAccess, endpointPublicAccess: endpointPublicAccess, publicAccessCidrs: publicAccessCidrs}'

Your CLI command should return the following result:

{ "endpointPrivateAccess": false,
"endpointPublicAccess": true,
"publicAccessCidrs": [
    "0.0.0.0/0"]}

Since the output string endpointPublicAccess shows a true value, it indicates that the endpoint public access is enabled.

How to Disable Public Access to an AWS EKS Cluster

You can disable public access to your cluster API server endpoint and enable private access using the console or command line interface.

When you do this, AWS EKS will create a Route 53 private hosted zone behind the scenes and associate it with your cluster’s VPC. This will only work if your VPC has the following settings:

enableDnsHostnames set to true
enabledDnsSupport set to true
DHCP options with AmazonProvidedDNS in its domain name servers list

Using the AWS Console:

Here are the steps to enable private access on an EKS cluster using the AWS Console:

1. Open the AWS Management Console and navigate to the EKS Dashboard.

2. Select the name of the cluster the information of which you want to view.

3. Select the Networking tab and press Update.

4. Disable public access to your API server endpoint. If you disable public access to your API server endpoint, your cluster’s API server will only be able to receive requests originating within the VPC.

Using the AWS CLI:

Here are the steps to enable private access on an EKS cluster using the AWS CLI:

1. Use the update-cluster-config command to enable private access to your cluster API server endpoint from a single IP address for the server.

aws eks update-cluster-config
    --region us-east-2
    --name my-clusters
    --resources-vpc-config endpointPublicAccess=false,endpointPrivateAccess=true

You’ll see an output like this:

{
    "update": {
        "id": "ec613c93-2e7e-507c-d243f-1h6fa6e67d4f",
        "status": "InProgress",
        "type": "EndpointAccessUpdate",
        "params": [
            {
                "type": "EndpointPublicAccess",
                "value": "false"
            },
            {
                "type": "EndpointPrivateAccess",
                "value": "true"
            }
        ],
        "createdAt": 1565806986.506,
        "errors": []
    }
}

2. To confirm that your change is in action, you can use the describe-update command. Enter the cluster name and update ID returned by the previous command to check whether the endpoint access update has been successful or not:

aws eks describe-update \
    --region us-east-2\
    --name my-clusters \
    --update-id ec613c93-2e7e-507c-d243f-1h6fa6e67d4f

The output will show the status as Successful if private access is enabled.

Checking for Publicly Accessible EKS Clusters with Blink

If you want to see which of your AWS EKS clusters are publicly accessible, you can follow these manual steps and make updates one-by-one, but it’s time-intensive. You’ll also need to do this check regularly if you want to ensure continued compliance.

With Blink, you can run this automation to regularly check your EKS clusters and send a report via email if any clusters are publicly accessible.

Blink Automation: Ensure EKS Cluster Endpoints Prohibit Public Access in AWS — *Blink Automation:* *Ensure EKS Cluster Endpoints Prohibit Public Access in AWS*

When this automation runs, it executes the following actions:

Checks whether any EKS clusters are publicly accessible.
Sends a report with the results via email.

You can import this automation from the Blink library and customize it however you like. For example, you could add an action step to disable public access upon your approval.

In Blink, you can also create automations from scratch to meet your team’s unique needs using the hundreds of drag-and-drop actions available from a wide range of tools.

Get started with Blink today to see how easy automation can be.

Expert Tip

How-To Guides

Kubernetes Pod Security Best Practices

Ensure your Kubernetes clusters are secure. This post outlines best security practices your organization should follow to keep them safe.

How-To Guides

How to Find and Delete Old EBS Snapshots

Reduce AWS storage costs by cleaning up old EBS snapshots. Learn how to find and delete outdated EBS snapshots to optimize your cloud resources.

How-To Guides

Align Your AWS Account with FFIEC Cybersecurity Standards

Ensure your AWS environment complies with FFIEC cybersecurity standards. This guide shows you how to check and enable required controls.

Automate your security operations everywhere.

Blink is secure, decentralized, and cloud-native.  Get modern cloud and security operations today.

Get a Demo