Cyscale
Back to controls

Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled

Disable access to the Kubernetes API from outside the node network if it is not required.

Category

Controls

High

Applies to

AWS

Coverage

1 queries

Asset types

1 covered

Overview

Disable access to the Kubernetes API from outside the node network if it is not required.

Rationale

In a private cluster, the master node has two endpoints, a private and public endpoint. The private endpoint is the internal IP address of the master, behind an internal load balancer in the master's VPC network. Nodes communicate with the master using the private endpoint. The public endpoint enables the Kubernetes API to be accessed from outside the master's VPC network.

Although Kubernetes API requires an authorized token to perform sensitive actions, a vulnerability could potentially expose the Kubernetes publically with unrestricted access. Additionally, an attacker may be able to identify the current cluster and Kubernetes API version and determine whether it is vulnerable to an attack. Unless required, disabling public endpoint will help prevent such threats, and require the attacker to be on the master's VPC network to perform any attack on the Kubernetes API.

Impact

Configure the EKS cluster endpoint to be private.

  1. Leave the cluster endpoint public and specify which CIDR blocks can communicate with the cluster endpoint. The blocks are effectively a whitelisted set of public IP addresses that are allowed to access the cluster endpoint.
  2. Configure public access with a set of whitelisted CIDR blocks and set private endpoint access to enabled. This will allow public access from a specific range of public IPs while forcing all network traffic between the kubelets (workers) and the Kubernetes API through the cross-account ENIs that get provisioned into the cluster VPC when the control plane is provisioned.

Audit

Check for private endpoint access to the Kubernetes API server Check for the following to be 'enabled: false'

export CLUSTER_NAME=<your cluster name>
aws eks describe-cluster --name ${CLUSTER_NAME} --query 
"cluster.resourcesVpcConfig.endpointPublicAccess"

Check for the following to be 'enabled: true'

export CLUSTER_NAME=<your cluster name>
aws eks describe-cluster --name ${CLUSTER_NAME} --query 
"cluster.resourcesVpcConfig.endpointPrivateAccess"

Default value

By default, the Public Endpoint is disabled

Remediation guidance

By enabling private endpoint access to the Kubernetes API server, all communication between your nodes and the API server stays within your VPC. With this in mind, you can update your cluster accordingly using the AWS CLI to ensure that private endpoint access is enabled and public endpoint access is disabled.

AWS CLI

aws eks update-cluster-config \
  --region {{asset.region}} \
  --name {{asset.name}} \
  --resources-vpc-config endpointPrivateAccess=true,endpointPublicAccess=false

Validation

After the update completes, verify the cluster is configured correctly:

aws eks describe-cluster \
  --region {{asset.region}} \
  --name {{asset.name}} \
  --query 'cluster.resourcesVpcConfig.{Private:endpointPrivateAccess,Public:endpointPublicAccess}'

Note: For more detailed information, see the EKS Cluster Endpoint documentation link in the references section.

References

  1. https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
  2. https://docs.aws.amazon.com/cli/latest/reference/eks/update-cluster-config.html

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

AWS

Use AWS Organizations guardrails, AWS Config rules or conformance packs where they fit, approved account baselines, and IaC modules so new resources inherit the secure setting.

Operational rollout

  1. Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
  2. Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
  3. Re-scan and track approved exceptions with an owner and expiry date.

Query logic

These are the stored checks tied to this control.

EKS Clusters with private endpoints enabled and public endpoints disabled

Connectors

AWS

Covered asset types

EKSCluster

Expected check: eq []

{
  eksClusters(where:{
    OR:[{vpcConfigEndpointPublicAccess: true}, {vpcConfigEndpointPrivateAccess: false}]
  }) {
    ...AssetFragment
  }
}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon