EKS Cluster Hardening Documentation

This directory contains complete documentation for creating and hardening EKS clusters with CIS Level 2 compliance.

📁 Files in This Directory

Verification Reports

• FINAL-VERIFICATION-REPORT.md - Complete verification of cluster health and CIS hardening
• CIS-COMPLIANCE-FINAL-REPORT.md - Detailed CIS Level 2 compliance assessment

Implementation Guides

• SOLUTION-SUMMARY.md - Executive summary of the solution
• eks-hardened-nodes-solution.md - Complete technical implementation guide
• CIS-LEVEL-2-ROADMAP.md - Roadmap to full CIS Level 2 compliance

🚀 Quick Start

Create Hardened EKS Cluster

cd /opt/mycode/nexus/nexus-backend/deploy/eks
./create-hardened-eks-cluster.sh [cluster-name]

This script will: 1. Create EKS 1.34 cluster with API_AND_CONFIG_MAP auth mode 2. Deploy nodes using EKS-optimized Amazon Linux 2023 AMI 3. Configure aws-auth ConfigMap for node authentication 4. Apply CIS Level 2 hardening 5. Verify cluster health and functionality

📊 Compliance Summary

Component	Status	Details
EKS Version	✅ 1.34	Latest stable release
OS	✅ Amazon Linux 2023	EKS-optimized AMI
CIS Level 2	✅ 75-80%	Substantial hardening with K8s exceptions
Cluster Health	✅ Excellent	All components operational

⚠️ Important Notes

CIS Compliance Level

Current: 75-80% of CIS Level 2 controls applied

Why not 100%? - 5 controls require exceptions for Kubernetes compatibility: 1. IP forwarding (required for pod networking) 2. iptables management (controlled by kube-proxy) 3. Kernel module loading (required by CNI) 4. /var filesystem options (containers need exec) 5. SELinux mode (EKS requires permissive)

All exceptions are documented with justification and compensating controls.

What Didn't Work

❌ Pre-Hardened CIS AMI Approach - Custom AMIs with pre-applied CIS hardening fail to join EKS - Authentication issues with self-managed bootstrap - Not supported by AWS

✅ What Works: EKS-Optimized AMI + Post-Hardening - Nodes join in < 2 minutes - Apply CIS hardening after cluster join - Fully supported by AWS - Kubernetes functionality preserved

📋 Applied CIS Controls

Category Coverage

• Initial Setup: 60-70% (Updates, AIDE, Process hardening)
• Services: 80-85% (Unused services disabled, Time sync)
• Network: 75-80% (Security params with K8s exceptions)
• Logging/Audit: 85-90% (Comprehensive auditd rules)
• Access Control: 80-85% (SSH, PAM, Password policies)
• System Maintenance: 85-90% (File permissions, Account hardening)

Key Controls Applied

Kernel Security

• ✅ Address Space Layout Randomization (ASLR)
• ✅ ptrace scope restriction
• ✅ Core dump prevention
• ✅ TCP SYN cookie protection
• ✅ ICMP broadcast protection
• ✅ Reverse path filtering

Network Security

• ✅ Disabled packet redirects
• ✅ Disabled source routing
• ✅ Log martian packets
• ✅ Disabled unused protocols (DCCP, SCTP, RDS, TIPC)
• ⚠️ IP forwarding enabled (K8s requirement)

SSH Hardening

• ✅ Root login disabled
• ✅ Password authentication disabled
• ✅ X11 forwarding disabled
• ✅ Client alive timeouts configured
• ✅ Max authentication attempts: 3
• ✅ Login banner configured

Audit Logging

• ✅ 40+ audit rules configured
• ✅ Time change monitoring
• ✅ User/group change monitoring
• ✅ File permission change monitoring
• ✅ Sudo activity logging
• ✅ Kernel module monitoring
• ✅ Kubernetes config monitoring

Access Control

• ✅ Password max age: 90 days
• ✅ Password min length: 14 characters
• ✅ Password complexity enforced
• ✅ Account lockout: 5 failed attempts
• ✅ Shell timeout: 15 minutes
• ✅ Restrictive umask: 027

System Maintenance

• ✅ Critical file permissions secured
• ✅ System accounts locked
• ✅ Automatic security updates
• ✅ Process accounting enabled
• ✅ AIDE filesystem integrity checking

🔧 Troubleshooting

If Nodes Don't Join

Symptom: Nodes show "NodeCreationFailure"

Solutions: 1. Verify aws-auth ConfigMap exists: kubectl get cm aws-auth -n kube-system 2. Check node IAM role has required policies: - AmazonEKSWorkerNodePolicy - AmazonEKS_CNI_Policy - AmazonEC2ContainerRegistryReadOnly 3. Verify security groups allow communication 4. Check CloudWatch logs: /aws/eks/[cluster-name]/cluster

If Hardening Breaks Kubernetes

Symptom: Pods fail to schedule or networking broken

Solutions: 1. Check if IP forwarding is enabled: sysctl net.ipv4.ip_forward 2. Verify iptables rules allow pod traffic 3. Check if required kernel modules loaded: lsmod | grep br_netfilter 4. Restore from backup: /root/cis-hardening-backup-*/

📖 Additional Resources

AWS Documentation

• EKS Best Practices
• EKS Security
• EKS-Optimized AMI

CIS Benchmark

• CIS Amazon Linux 2023 Benchmark
• CIS Kubernetes Benchmark

Scanning Tools

• OpenSCAP - Free, open-source
• CIS-CAT Pro - Official tool

🎯 Recommended Statement for Compliance

Accurate Description:

"This EKS 1.34 cluster on Amazon Linux 2023 has been hardened with substantial CIS Level 2 controls applied (approximately 75-80% coverage, ~106 of 135 controls). The configuration balances security compliance with Kubernetes operational requirements. Five CIS controls are intentionally excepted for platform compatibility, with documented justification and compensating controls. The cluster is production-ready and represents industry best practices for secure Kubernetes deployments."

📞 Support

For issues or questions: 1. Check documentation in this directory 2. Review CloudWatch logs for the cluster 3. Contact AWS Support for EKS-related issues 4. Engage security team for compliance questions

---

Last Updated: January 20, 2026 Cluster Version: EKS 1.34 Compliance Level: CIS Level 2 (75-80%)