Listen to this Post

Introduction:
As Kubernetes adoption skyrockets, misconfigured clusters have become a primary vector for cloud data breaches. This lab demonstrates a practical, code-first approach to building an Amazon EKS cluster with enterprise-grade hardening using Terraform, focusing on controls that every cloud auditor and security engineer must validate—from private API endpoints and envelope encryption to IMDSv2 enforcement and least-privilege IAM.
Learning Objectives:
- Deploy a production-ready EKS cluster where the API server is inaccessible from the public internet.
- Enforce encryption for Kubernetes secrets using AWS KMS with automatic key rotation.
- Validate node-level hardening including IMDSv2, encrypted EBS volumes, and private subnet placement.
You Should Know:
1. Private API Server Endpoint & Network Isolation
The Kubernetes API server is the brain of your cluster. Exposing it to the internet invites unauthorized access, credential theft, and cluster takeover. By setting the cluster endpoint to `PRIVATE` and restricting ingress via a security group, you ensure that only resources inside your VPC can interact with the control plane.
Step‑by‑step guide:
- In your Terraform `aws_eks_cluster` resource, set `endpoint_public_access = false` and
endpoint_private_access = true. - Create a security group rule that allows HTTPS (port 443) only from your VPC CIDR block (e.g., 10.0.0.0/16).
- After deployment, validate the configuration:
Linux / macOS:
Describe the cluster and check endpoint configuration
aws eks describe-cluster --name eks-hardened --region us-east-1 --query "cluster.resourcesVpcConfig.{Public:endpointPublicAccess,Private:endpointPrivateAccess}"
Attempt to reach the API server from outside the VPC (should fail)
curl -k https://$(aws eks describe-cluster --name eks-hardened --query "cluster.endpoint" --output text)/version
Windows (PowerShell):
Check endpoint config
aws eks describe-cluster --name eks-hardened --region us-east-1 --query "cluster.resourcesVpcConfig.{Public:endpointPublicAccess,Private:endpointPrivateAccess}"
Test external access (expect failure)
Invoke-WebRequest -Uri "https://$(aws eks describe-cluster --name eks-hardened --query 'cluster.endpoint' --output text)/version" -SkipCertificateCheck
2. Secrets Encryption with AWS KMS (Envelope Encryption)
By default, Kubernetes secrets are only base64-encoded, not encrypted at rest. Enabling KMS encryption for secrets ensures that all sensitive data (tokens, passwords, keys) stored in etcd is encrypted with a customer-managed key. Automatic annual rotation of the KMS key further reduces the risk of key compromise.
Step‑by‑step guide:
- Create a KMS key with automatic rotation enabled.
- In your `aws_eks_cluster` resource, reference the KMS key ARN under
encryption_config. - Validate encryption is active:
Check that the KMS key ARN appears in the cluster config
aws eks describe-cluster --name eks-hardened --query "cluster.encryptionConfig"
Verify the KMS key has rotation enabled
aws kms get-key-rotation-status --key-id <key-id>
Optional: Create a test secret and confirm it is encrypted at rest
kubectl create secret generic test-secret --from-literal=key=value
kubectl get secret test-secret -o jsonpath='{.data}' | base64 -d
3. Control Plane Audit Logging to CloudWatch
Audit logs from the Kubernetes control plane are essential for detecting anomalous API calls, unauthorized access attempts, and potential cluster compromise. Sending these logs to CloudWatch with a 90‑day retention period provides a tamper‑evident audit trail that can be integrated with SIEM or threat detection tools.
Step‑by‑step guide:
- Enable all control plane log types (
api,audit,authenticator,controllerManager,scheduler) in the `aws_eks_cluster` resource. - Configure a CloudWatch log group with a retention policy of 90 days.
- Validate logs are flowing:
List log groups and check retention
aws logs describe-log-groups --log-group-name-prefix /aws/eks/eks-hardened --query "logGroups[].{Name:logGroupName,Retention:retentionInDays}"
View the latest audit log events
aws logs tail /aws/eks/eks-hardened/cluster --since 1h --filter-pattern "objectRef.resource = secrets"
4. IMDSv2 Enforcement & Node Hardening
AWS EC2’s Instance Metadata Service version 2 (IMDSv2) adds session‑based protections against SSRF and open‑proxy attacks. Forcing IMDSv2 on EKS worker nodes prevents misconfigured pods from accidentally exposing metadata credentials, which is a common path to privilege escalation.
Step‑by‑step guide:
- In your launch template or node group configuration, set
metadata_options:metadata_options { http_endpoint = "enabled" http_tokens = "required" Enforces IMDSv2 http_put_response_hop_limit = 2 } - Validate from within a node (after attaching via AWS SSM):
This should fail if IMDSv2 is enforced curl http://169.254.169.254/latest/meta-data/instance-id Correct IMDSv2 usage (requires token) TOKEN=<code>curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"</code> curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id
- IRSA & Least-Privilege IAM for the EBS CSI Driver
The EBS CSI driver needs permissions to create and attach volumes. Using IAM Roles for Service Accounts (IRSA) allows you to grant only the necessary permissions directly to the Kubernetes service account, avoiding long‑lived credentials on nodes and adhering to least privilege.
Step‑by‑step guide:
- Create an IAM role with a trust policy that allows the EBS CSI driver’s Kubernetes service account to assume it.
- Attach the AWS managed policy
AmazonEBSCSIDriverPolicy. - Annotate the Kubernetes service account with the role ARN.
Validation commands:
Verify the trust policy allows the service account aws iam get-role --role-name eks-hardened-ebs-csi-role --query "Role.AssumeRolePolicyDocument" Check that the EBS CSI driver pods are using the correct IAM role kubectl describe pod ebs-csi-controller-XXX -n kube-system | grep "AWS_ROLE_ARN"
6. Encrypted EBS Volumes & Private Subnets
All EBS volumes attached to worker nodes must be encrypted at rest using KMS. Additionally, worker nodes should reside in private subnets with no public IP addresses, preventing direct internet exposure and forcing outbound traffic through NAT gateways or VPC endpoints.
Step‑by‑step guide:
- Set `encrypted = true` in your launch template’s root block device.
- In your node group configuration, specify private subnets and set
associate_public_ip_address = false.
Validation commands:
List volumes for the cluster and check encryption status
aws ec2 describe-volumes --filters "Name=tag:eks:cluster-name,Values=eks-hardened" --query "Volumes[].{ID:VolumeId,Encrypted:Encrypted}"
Verify nodes have no public IP
aws ec2 describe-instances --filters "Name=tag:eks:cluster-name,Values=eks-hardened" --query "Reservations[].Instances[].{ID:InstanceId,PublicIp:PublicIpAddress}" --output table
What Undercode Say:
- Key Takeaway 1: Hardening an EKS cluster requires a layered, code‑driven approach—no single control can stop a determined attacker, but combining private endpoints, envelope encryption, audit logging, and node‑level defenses creates a formidable shield.
- Key Takeaway 2: Infrastructure as Code (Terraform) is not just a DevOps convenience; it is a mandatory skill for cloud security professionals. Many audits are shifting from manual checklists to automated policy-as‑code validation, and understanding Terraform is essential for reviewing and challenging those automated findings.
Prediction:
Within 18 months, the majority of cloud security incidents will involve misconfigured Kubernetes clusters. As attackers pivot from traditional IAM misconfigurations to container‑specific vectors, demand for specialists who can both deploy and validate hardened EKS environments will skyrocket. Expect to see EKS hardening become a core competency in cloud security role requirements—and a frequent topic in CISSP and CCSK exam updates. Organizations that fail to adopt code‑first security controls will face repeated breaches, while those that embrace Terraform and policy‑as‑code will achieve both speed and compliance.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Mariana Arce – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


