AWS
KubernetesOverview
Statement
All CIS Benchmarks focus on technical configuration settings used to maintain and/or increase the security of the addressed technology, and they should be used in conjunction with other essential cyber hygiene tasks like:
• Monitoring the base operating system for vulnerabilities and quickly updating with the latest security patches
• Monitoring applications and libraries for vulnerabilities and quickly updating with the latest security patches
In the end, the CIS Benchmarks are designed as a key component of a comprehensive cybersecurity program.
This document provides prescriptive guidance for running Amazon Elastic Kubernetes Service (EKS) following recommended security controls. This benchmark only includes controls which can be modified by an end user of Amazon EKS.
Recommendations
1 Control Plane Components
Security is a shared responsibility between AWS and the Amazon EKS customer. AWS is responsible for protecting the infrastructure that runs Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. For Amazon EKS, AWS is responsible for the Kubernetes control plane, which includes the control plane nodes and the etcd database.
3 Worker Nodes
4 Policies
5 Managed Services
Procedures and mapped controls
3.3 Container Optimized OS
4.1 RBAC and Service Accounts
Mapped controls
Ensure that the cluster-admin role is only used where required
Minimize access to secrets
Minimize wildcard use in Roles and ClusterRoles
Minimize access to create pods
Ensure that default service accounts are not actively used
Ensure that Service Account Tokens are only mounted where necessary
Ensure that Service Account Tokens are only mounted where necessary
4.2 Pod Security Standards
Mapped controls
Minimize the admission of privileged containers
Minimize the admission of containers wishing to share the host process ID namespace
Minimize the admission of containers wishing to share the host network namespace
Minimize the admission of containers with allowPrivilegeEscalation
4.3 CNI Plugin
4.4 Secrets Management
4.5 General Policies
5.1 Image Registry and Image Scanning
5.3 AWS EKS Key Management Service
Query logic
These are the stored checks tied to this framework.
Kubernetes nodes without container-optimized OS
Connectors
Covered asset types
Expected check: eq []
{
kubernetesNodes(where: { osImage_NOT_STARTS_WITH: "Bottlerocket" }) {
...AssetFragment
}
}Kubernetes RoleBindings that use cluster-admin role
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(where: {internalName: "cluster-admin"}) {
roleBindings(where: {subjects_SOME: {name_NOT: ""}}) {
...AssetFragment
}
}
}Kubernetes ClusterRoleBindings that use cluster-admin role
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(where: {internalName: "cluster-admin"}) {
clusterRoleBindings(where: {subjects_SOME: {name_NOT: "system:masters"}}) {
...AssetFragment
}
}
}Kubernetes RoleBindings to Roles that have access to secrets
Connectors
Covered asset types
Expected check: eq []
{
roles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "get" }
{ verbs_INCLUDES: "list" }
{ verbs_INCLUDES: "watch" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "secrets" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{bindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
bindings {
...AssetFragment
}
}
}
Kubernetes RoleBindings to ClusterRoles that have access to secrets
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "get" }
{ verbs_INCLUDES: "list" }
{ verbs_INCLUDES: "watch" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "secrets" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{roleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
roleBindings {
...AssetFragment
}
}
}
Kubernetes ClusterRoleBindings to ClusterRoles that have access to secrets
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "get" }
{ verbs_INCLUDES: "list" }
{ verbs_INCLUDES: "watch" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "secrets" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{clusterRoleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
clusterRoleBindings {
...AssetFragment
}
}
}
Kubernetes Roles with wildcard rules
Connectors
Covered asset types
Expected check: eq []
{
roles (where: {rules_SOME: {AND: [{verbs_INCLUDES: "*"}, {resources_INCLUDES: "*"}, {OR: [{apiGroup_INCLUDES: ""}, {apiGroup_INCLUDES: "*"}]}]}}){
...AssetFragment
}
}Kubernetes ClusterRoles with wildcard rules
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles (where: {rules_SOME: {AND: [{verbs_INCLUDES: "*"}, {resources_INCLUDES: "*"}, {OR: [{apiGroup_INCLUDES: ""}, {apiGroup_INCLUDES: "*"}]}]}}){
...AssetFragment
}
}Kubernetes RoleBindings to Roles that can create pods
Connectors
Covered asset types
Expected check: eq []
{
roles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "create" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "pods" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{bindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
bindings {
...AssetFragment
}
}
}
Kubernetes RoleBindings to ClusterRoles that can create pods
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "create" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "pods" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{roleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
roleBindings {
...AssetFragment
}
}
}
Kubernetes RoleBindings to ClusterRoles that can create pods
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "create" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "pods" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{clusterRoleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
clusterRoleBindings {
...AssetFragment
}
}
}
Kubernetes default Service Accounts that automatically mount
Connectors
Covered asset types
Expected check: eq []
{
serviceAccounts(
where: { internalName: "default", automountServiceAccountToken: true }
) {
...AssetFragment
}
}
Kubernetes RoleBindings bound to default Service Accounts
Connectors
Covered asset types
Expected check: eq []
{
serviceAccounts(
where: {
internalName: "default"
roleBindingSubjects_SOME: { roleBinding: { idFromProvider_NOT: "" } }
}
) {
roleBindingSubjects {
roleBinding {
...AssetFragment
}
}
}
}
Kubernetes ClusterRoleBindings bound to default Service Accounts
Connectors
Covered asset types
Expected check: eq []
{
serviceAccounts(
where: {
internalName: "default"
clusterRoleBindingSubjects_SOME: {
clusterRoleBindings: { idFromProvider_NOT: "" }
}
}
) {
clusterRoleBindingSubjects {
clusterRoleBindings {
...AssetFragment
}
}
}
}
Kubernetes CronJobs pod template which automounts service accounts
Connectors
Covered asset types
Expected check: eq []
{
cronJobs(
where: {
podTemplate: {
isAutomountServiceAccountTokenSet: true
automountServiceAccountToken: true
}
}
) {
...AssetFragment
}
}Kubernetes Jobs pod templates which automounts service accounts
Connectors
Covered asset types
Expected check: eq []
{
jobs(
where: {
cronJobName: ""
podTemplate: {
isAutomountServiceAccountTokenSet: true
automountServiceAccountToken: true
}
}
) {
...AssetFragment
}
}Kubernetes DaemonSets pod templates which automounts service accounts
Connectors
Covered asset types
Expected check: eq []
{
daemonSets(
where: {
podTemplate: {
isAutomountServiceAccountTokenSet: true
automountServiceAccountToken: true
}
}
) {
...AssetFragment
}
}Kubernetes Deployments pod templates which automounts service accounts
Connectors
Covered asset types
Expected check: eq []
{
deployments(
where: {
podTemplate: {
isAutomountServiceAccountTokenSet: true
automountServiceAccountToken: true
}
}
) {
...AssetFragment
}
}Kubernetes ReplicaSets pod templates which automounts service accounts
Connectors
Covered asset types
Expected check: eq []
{
replicaSets(
where: {
deploymentName: ""
podTemplate: {
isAutomountServiceAccountTokenSet: true
automountServiceAccountToken: true
}
}
) {
...AssetFragment
}
}
Kubernetes StatefulSets pod templates which automounts service accounts
Connectors
Covered asset types
Expected check: eq []
{
statefulSets(
where: {
podTemplate: {
isAutomountServiceAccountTokenSet: true
automountServiceAccountToken: true
}
}
) {
...AssetFragment
}
}Minimize the admission of privileged containers (Pod)
Connectors
Covered asset types
Expected check: eq []
{
pods(where: { containers_SOME: { securityContext: { privileged: true } NOT: { namespace: "kube-system" } } }) {
...AssetFragment
}
}Check there are restrictions on the creation of hostPID pods
Connectors
Covered asset types
Expected check: eq []
{
pods(where: { hostPID: true NOT: { namespace: "kube-system" } }) {
...AssetFragment
}
}Check there are restrictions on the creation of hostNetwork containers
Connectors
Covered asset types
Expected check: eq []
{
pods(where: { hostNetwork: true NOT: { namespace: "kube-system" } }) {
...AssetFragment
}
}Minimize the admission of containers with allowPrivilegeEscalation (Pod)
Connectors
Covered asset types
Expected check: eq []
{
pods(where:{containers_SOME:{securityContext:{allowPrivilegeEscalation: true }}}){
...AssetFragment
}
}Kubernetes namespaces without network policies
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: {networkPolicies: null}) {
...AssetFragment
}
}Check if CronJobs templates have secrets in environment variables
Connectors
Covered asset types
Expected check: eq []
{
cronJobs(
where: {
podTemplate: {
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
}
) {
...AssetFragment
}
}
Check if Jobs templates have secrets in environment variables
Connectors
Covered asset types
Expected check: eq []
{
jobs(
where: {
cronJobName: ""
podTemplate: {
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
}
) {
...AssetFragment
}
}
Check if DaemonSets templates have secrets in environment variables
Connectors
Covered asset types
Expected check: eq []
{
daemonSets(
where: {
podTemplate: {
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
}
) {
...AssetFragment
}
}
Check if Deployments templates have secrets in environment variables
Connectors
Covered asset types
Expected check: eq []
{
deployments(
where: {
podTemplate: {
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
}
) {
...AssetFragment
}
}
Check if ReplicaSets templates have secrets in environment variables
Connectors
Covered asset types
Expected check: eq []
{
replicaSets(
where: {
deploymentName: ""
podTemplate: {
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
}
) {
...AssetFragment
}
}
Check if StatefulSets templates have secrets in environment variables
Connectors
Covered asset types
Expected check: eq []
{
statefulSets(
where: {
podTemplate: {
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
}
) {
...AssetFragment
}
}
Kubernetes Deployments with templates that use Kubernetes Secrets
Connectors
Covered asset types
Expected check: eq []
{
deployments(
where: {
podTemplate: {
OR: [
{
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
{ secretVolumes_NOT: [] }
]
}
}
) {
...AssetFragment
}
}
Kubernetes Jobs with templates that use Kubernetes Secrets
Connectors
Covered asset types
Expected check: eq []
{
jobs(
where: {
cronJobName: ""
podTemplate: {
OR: [
{
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
{ secretVolumes_NOT: [] }
]
}
}
) {
...AssetFragment
}
}
Kubernetes CronJobs with templates that use Kubernetes Secrets
Connectors
Covered asset types
Expected check: eq []
{
cronJobs(
where: {
podTemplate: {
OR: [
{
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
{ secretVolumes_NOT: [] }
]
}
}
) {
...AssetFragment
}
}Kubernetes DaemonSets with templates that use Kubernetes Secrets
Connectors
Covered asset types
Expected check: eq []
{
daemonSets(
where: {
podTemplate: {
OR: [
{
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
{ secretVolumes_NOT: [] }
]
}
}
) {
...AssetFragment
}
}
Kubernetes StatefulSets with templates that use Kubernetes Secrets
Connectors
Covered asset types
Expected check: eq []
{
statefulSets(
where: {
podTemplate: {
OR: [
{
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
{ secretVolumes_NOT: [] }
]
}
}
) {
...AssetFragment
}
}
Kubernetes ReplicaSets with templates that use Kubernetes Secrets
Connectors
Covered asset types
Expected check: eq []
{
replicaSets(
where: {
deploymentName: ""
podTemplate: {
OR: [
{
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
{ secretVolumes_NOT: [] }
]
}
}
) {
...AssetFragment
}
}
Kubernetes Deployments with ContainersTemplates that have permissive security context
Connectors
Covered asset types
Expected check: eq []
{
deployments(
where: {
podTemplate: {
containersTemplates_SOME: {
securityContext: {
OR: [
{ isSeccompProfileSet: false }
{ isSELinuxOptionsSet: false }
{ allowPrivilegeEscalation: true }
{ runAsNonRoot: false }
{ runAsUser_GTE: 1000 }
{ runAsGroup_GTE: 1000 }
{ readOnlyRootFilesystem: false }
{ capabilitiesAdd_INCLUDES: "SYS_ADMIN" }
{ privileged: true }
{
NOT: {
OR: [
{ capabilitiesDrop_INCLUDES: "NET_RAW" }
{ capabilitiesDrop_INCLUDES: "ALL" }
{ capabilitiesDrop_INCLUDES: "all" }
]
}
}
]
}
}
}
}
) {
...AssetFragment
}
}
Kubernetes StatefulSets with ContainersTemplates that have permissive security context
Connectors
Covered asset types
Expected check: eq []
{
statefulSets(
where: {
podTemplate: {
containersTemplates_SOME: {
securityContext: {
OR: [
{ isSeccompProfileSet: false }
{ isSELinuxOptionsSet: false }
{ allowPrivilegeEscalation: true }
{ runAsNonRoot: false }
{ runAsUser_GTE: 1000 }
{ runAsGroup_GTE: 1000 }
{ readOnlyRootFilesystem: false }
{ capabilitiesAdd_INCLUDES: "SYS_ADMIN" }
{ privileged: true }
{
NOT: {
OR: [
{ capabilitiesDrop_INCLUDES: "NET_RAW" }
{ capabilitiesDrop_INCLUDES: "ALL" }
{ capabilitiesDrop_INCLUDES: "all" }
]
}
}
]
}
}
}
}
) {
...AssetFragment
}
}
Kubernetes ReplicaSets with ContainersTemplates that have permissive security context
Connectors
Covered asset types
Expected check: eq []
{
replicaSets(
where: {
deploymentName: ""
podTemplate: {
containersTemplates_SOME: {
securityContext: {
OR: [
{ isSeccompProfileSet: false }
{ isSELinuxOptionsSet: false }
{ allowPrivilegeEscalation: true }
{ runAsNonRoot: false }
{ runAsUser_GTE: 1000 }
{ runAsGroup_GTE: 1000 }
{ readOnlyRootFilesystem: false }
{ capabilitiesAdd_INCLUDES: "SYS_ADMIN" }
{ privileged: true }
{
NOT: {
OR: [
{ capabilitiesDrop_INCLUDES: "NET_RAW" }
{ capabilitiesDrop_INCLUDES: "ALL" }
{ capabilitiesDrop_INCLUDES: "all" }
]
}
}
]
}
}
}
}
) {
...AssetFragment
}
}Kubernetes DaemonSets with ContainersTemplates that have permissive security context
Connectors
Covered asset types
Expected check: eq []
{
daemonSets(
where: {
podTemplate: {
containersTemplates_SOME: {
securityContext: {
OR: [
{ isSeccompProfileSet: false }
{ isSELinuxOptionsSet: false }
{ allowPrivilegeEscalation: true }
{ runAsNonRoot: false }
{ runAsUser_GTE: 1000 }
{ runAsGroup_GTE: 1000 }
{ readOnlyRootFilesystem: false }
{ capabilitiesAdd_INCLUDES: "SYS_ADMIN" }
{ privileged: true }
{
NOT: {
OR: [
{ capabilitiesDrop_INCLUDES: "NET_RAW" }
{ capabilitiesDrop_INCLUDES: "ALL" }
{ capabilitiesDrop_INCLUDES: "all" }
]
}
}
]
}
}
}
}
) {
...AssetFragment
}
}Kubernetes Jobs with ContainersTemplates that have permissive security context
Connectors
Covered asset types
Expected check: eq []
{
jobs(
where: {
cronJobName: ""
podTemplate: {
containersTemplates_SOME: {
securityContext: {
OR: [
{ isSeccompProfileSet: false }
{ isSELinuxOptionsSet: false }
{ allowPrivilegeEscalation: true }
{ runAsNonRoot: false }
{ runAsUser_GTE: 1000 }
{ runAsGroup_GTE: 1000 }
{ readOnlyRootFilesystem: false }
{ capabilitiesAdd_INCLUDES: "SYS_ADMIN" }
{ privileged: true }
{
NOT: {
OR: [
{ capabilitiesDrop_INCLUDES: "NET_RAW" }
{ capabilitiesDrop_INCLUDES: "ALL" }
{ capabilitiesDrop_INCLUDES: "all" }
]
}
}
]
}
}
}
}
) {
...AssetFragment
}
}
Kubernetes CronJobs with ContainersTemplates that have permissive security context
Connectors
Covered asset types
Expected check: eq []
{
cronJobs(
where: {
podTemplate: {
containersTemplates_SOME: {
securityContext: {
OR: [
{ isSeccompProfileSet: false }
{ isSELinuxOptionsSet: false }
{ allowPrivilegeEscalation: true }
{ runAsNonRoot: false }
{ runAsUser_GTE: 1000 }
{ runAsGroup_GTE: 1000 }
{ readOnlyRootFilesystem: false }
{ capabilitiesAdd_INCLUDES: "SYS_ADMIN" }
{ privileged: true }
{
NOT: {
OR: [
{ capabilitiesDrop_INCLUDES: "NET_RAW" }
{ capabilitiesDrop_INCLUDES: "ALL" }
{ capabilitiesDrop_INCLUDES: "all" }
]
}
}
]
}
}
}
}
) {
...AssetFragment
}
}Kubernetes StatefulSets PodTemplates with permissive security context
Connectors
Covered asset types
Expected check: eq []
{
statefulSets(
where: {
podTemplate: {
securityContext: {
OR: [
{ supplementalGroups: [] }
{ isSysctlsContainingElements: false }
{ isSeccompProfileSet: false }
{ isFSGroupChangePolicySet: false }
{ isFSGroupSet: false }
{
NOT: {
OR: [
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "Always"
}
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "OnRootMismatch"
}
]
}
}
{ AND: [{ isFSGroupSet: true }, { fsGroup_LTE: 0 }] }
]
}
}
}
) {
...AssetFragment
}
}
Kubernetes ReplicaSets PodTemplates with permissive security context
Connectors
Covered asset types
Expected check: eq []
{
replicaSets(
where: {
deploymentName: ""
podTemplate: {
securityContext: {
OR: [
{ supplementalGroups: [] }
{ isSysctlsContainingElements: false }
{ isSeccompProfileSet: false }
{ isFSGroupChangePolicySet: false }
{ isFSGroupSet: false }
{
NOT: {
OR: [
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "Always"
}
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "OnRootMismatch"
}
]
}
}
{ AND: [{ isFSGroupSet: true }, { fsGroup_LTE: 0 }] }
]
}
}
}
) {
...AssetFragment
}
}Kubernetes Deployments PodTemplates with permissive security context
Connectors
Covered asset types
Expected check: eq []
{
deployments(
where: {
podTemplate: {
securityContext: {
OR: [
{ supplementalGroups: [] }
{ isSysctlsContainingElements: false }
{ isSeccompProfileSet: false }
{ isFSGroupChangePolicySet: false }
{ isFSGroupSet: false }
{
NOT: {
OR: [
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "Always"
}
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "OnRootMismatch"
}
]
}
}
{ AND: [{ isFSGroupSet: true }, { fsGroup_LTE: 0 }] }
]
}
}
}
) {
...AssetFragment
}
}Kubernetes DaemonSets PodTemplates with permissive security context
Connectors
Covered asset types
Expected check: eq []
{
daemonSets(
where: {
podTemplate: {
securityContext: {
OR: [
{ supplementalGroups: [] }
{ isSysctlsContainingElements: false }
{ isSeccompProfileSet: false }
{ isFSGroupChangePolicySet: false }
{ isFSGroupSet: false }
{
NOT: {
OR: [
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "Always"
}
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "OnRootMismatch"
}
]
}
}
{ AND: [{ isFSGroupSet: true }, { fsGroup_LTE: 0 }] }
]
}
}
}
) {
...AssetFragment
}
}Kubernetes Jobs PodTemplates with permissive security context
Connectors
Covered asset types
Expected check: eq []
{
jobs(
where: {
cronJobName: ""
podTemplate: {
securityContext: {
OR: [
{ supplementalGroups: [] }
{ isSysctlsContainingElements: false }
{ isSeccompProfileSet: false }
{ isFSGroupChangePolicySet: false }
{ isFSGroupSet: false }
{
NOT: {
OR: [
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "Always"
}
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "OnRootMismatch"
}
]
}
}
{ AND: [{ isFSGroupSet: true }, { fsGroup_LTE: 0 }] }
]
}
}
}
) {
...AssetFragment
}
}
Kubernetes CronJobs templates with permissive security context
Connectors
Covered asset types
Expected check: eq []
{
cronJobs(
where: {
podTemplate: {
securityContext: {
OR: [
{ supplementalGroups: [] }
{ isSysctlsContainingElements: false }
{ isSeccompProfileSet: false }
{ isFSGroupChangePolicySet: false }
{ isFSGroupSet: false }
{
NOT: {
OR: [
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "Always"
}
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "OnRootMismatch"
}
]
}
}
{ AND: [{ isFSGroupSet: true }, { fsGroup_LTE: 0 }] }
]
}
}
}
) {
...AssetFragment
}
}ECR Repositories without scan on push enabled
Connectors
Covered asset types
Expected check: eq []
{
ECRRepositoriesWithoutAutomaticScanning {
...AssetFragment
}
}
EKSNodeGroup roles with write access to ECR
Connectors
Covered asset types
Expected check: eq []
{
EKSNodeGroupRolesWithWriteAccessToECR {
...AssetFragment
}
}
EKS Clusters without secrets encryption
Connectors
Covered asset types
Expected check: eq []
{
eksClusters(where:{
OR:[{encryptionConfig: null}, {encryptionConfig: {providerKeyARN: ""}}]
}) {
...AssetFragment
}
}EKS Clusters without restricted access to control plane endpoint
Connectors
Covered asset types
Expected check: eq []
{
eksClusters(
where: {
OR: [
{ vpcConfigEndpointPrivateAccess: false }
{ vpcConfigPublicAccessCIDRs: [] }
{ vpcConfigPublicAccessCIDRs_INCLUDES: "0.0.0.0/0" }
]
}
) {
...AssetFragment
}
}EKS Clusters with private endpoints enabled and public endpoints disabled
Connectors
Covered asset types
Expected check: eq []
{
eksClusters(where:{
OR:[{vpcConfigEndpointPublicAccess: true}, {vpcConfigEndpointPrivateAccess: false}]
}) {
...AssetFragment
}
}EKS NodeGroups with public nodes
Connectors
Covered asset types
Expected check: eq []
{
EKSNodeGroupsWithPublicNodes {
...AssetFragment
}
}Ingresses without TLS config
Connectors
Covered asset types
Expected check: eq []
{
EKSIngressesWithoutTLSConfig {
...AssetFragment
}
}
