AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
EKS Clusters Should Have High Availability
More Info:
EKS clusters should have a minimum of 3 nodes spread across 3 Availability Zones. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures.
Risk Level
Low
Address
Reliability, Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration of EKS Clusters not having high availability in AWS, you can follow the below steps using the AWS console:
-
Go to the Amazon EKS console.
-
Select the EKS cluster that you want to remediate.
-
Click on the “Configuration” tab.
-
Under the “Networking” section, click on “Edit”.
-
Ensure that the “Private networking only” option is unchecked.
-
Under the “High availability” section, click on “Edit”.
-
Select the “Multiple Availability Zones” option.
-
Choose the number of availability zones you want to use.
-
Click on “Save”.
-
Wait for the changes to propagate.
By following these steps, you can remediate the misconfiguration of EKS Clusters not having high availability in AWS.
To remediate the misconfiguration of EKS clusters not having high availability in AWS using AWS CLI, follow these steps:
-
Open the AWS CLI and ensure that you have the necessary permissions to make changes to the EKS cluster.
-
Check if the EKS cluster is currently configured for high availability by running the following command:
aws eks describe-cluster --name <cluster-name> --query "cluster.resourcesVpcConfig.endpointPublicAccess"This command will return a boolean value, where
trueindicates that the EKS cluster is configured for high availability, andfalseindicates that it is not. -
If the EKS cluster is not configured for high availability, you can enable it by modifying the cluster’s endpoint access configuration using the following command:
aws eks update-cluster-config --name <cluster-name> --resources-vpc-config endpointPublicAccess=trueThis command will modify the EKS cluster’s endpoint access configuration to enable high availability.
-
Verify that the EKS cluster is now configured for high availability by running the
describe-clustercommand again and checking theendpointPublicAccessvalue.aws eks describe-cluster --name <cluster-name> --query "cluster.resourcesVpcConfig.endpointPublicAccess"This command should now return
true, indicating that the EKS cluster is configured for high availability. -
Repeat these steps for any other EKS clusters that are not configured for high availability.
By following these steps, you can remediate the misconfiguration of EKS clusters not having high availability in AWS using AWS CLI.
To remediate the misconfiguration of EKS Clusters not having high availability in AWS using Python, follow the steps below:
- Import the necessary AWS SDK modules in Python:
import boto3
from botocore.exceptions import ClientError
- Create a boto3 EKS client object:
eks_client = boto3.client('eks')
- Get the EKS cluster name for which you want to enable high availability:
cluster_name = 'your-cluster-name'
- Check if the EKS cluster is already highly available:
try:
response = eks_client.describe_cluster(name=cluster_name)
if response['cluster']['resourcesVpcConfig']['subnetIds']:
print('EKS cluster is already highly available.')
else:
print('EKS cluster is not highly available.')
except ClientError as e:
print('Error:', e)
- If the EKS cluster is not highly available, update the cluster configuration to enable high availability:
try:
eks_client.update_cluster_config(
name=cluster_name,
resourcesVpcConfig={
'subnetIds': ['subnet-xxxxxxxx', 'subnet-yyyyyyyy', 'subnet-zzzzzzzz']
}
)
print('EKS cluster configuration updated to enable high availability.')
except ClientError as e:
print('Error:', e)
Note: Replace ‘subnet-xxxxxxxx’, ‘subnet-yyyyyyyy’, ‘subnet-zzzzzzzz’ with the IDs of the subnets in which you want to launch your EKS worker nodes. These subnets should be in different availability zones to enable high availability.
- Verify that the EKS cluster is now highly available:
try:
response = eks_client.describe_cluster(name=cluster_name)
if response['cluster']['resourcesVpcConfig']['subnetIds']:
print('EKS cluster is now highly available.')
else:
print('EKS cluster is still not highly available.')
except ClientError as e:
print('Error:', e)
With these steps, you can remediate the misconfiguration of EKS clusters not having high availability in AWS using Python.