AWS eks documentation change
Summary
Updated documentation for generating CIS compliance reports, including restructured content, added example outputs, and clarified command explanations
Security assessment
The changes enhance documentation for a security feature (CIS compliance reporting) but do not address a specific vulnerability. The added example output shows security configuration checks (e.g., ASLR, SELinux, eBPF), which are security-related controls, but this is documentation improvement rather than a response to a security incident.
Diff
diff --git a/eks/latest/userguide/auto-cis.md b/eks/latest/userguide/auto-cis.md index ee10a8a9f..e385b034e 100644 --- a//eks/latest/userguide/auto-cis.md +++ b//eks/latest/userguide/auto-cis.md @@ -5 +5 @@ -PrerequisitesProcedureCommand componentsUnderstanding the outputRelated resources +PrerequisitesProcedureInterpreting the outputRelated resources @@ -13,3 +13 @@ To contribute to this user guide, choose the **Edit this page on GitHub** link t -This topic describes how to generate CIS (Center for Internet Security) compliance reports for Amazon EKS nodes using the `kubectl debug` command. - -The command allows you to temporarily create a debugging container on a Kubernetes node and run CIS compliance checks using the `apiclient` tool. The `apiclient` tool is part of Bottlerocket OS, the OS used by EKS Auto Mode nodes. +This topic describes how to generate CIS (Center for Internet Security) compliance reports for Amazon EKS nodes using the `kubectl debug` command. The command allows you to temporarily create a debugging container on a Kubernetes node and run CIS compliance checks using the `apiclient` tool. The `apiclient` tool is part of Bottlerocket OS, the OS used by EKS Auto Mode nodes. @@ -21 +19 @@ Before you begin, ensure you have: - * Access to an Amazon EKS cluster with kubectl configured + * Access to an Amazon EKS cluster with `kubectl` configured @@ -27 +24,0 @@ Before you begin, ensure you have: - * For more information about using debugging profiles with `kubectl, see [Debugging a Pod or Node while applying a profile](https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#debugging-profiles) in the Kubernetes documentation. @@ -30,0 +28 @@ Before you begin, ensure you have: +For more information about using debugging profiles with `kubectl`, see [Debugging a Pod or Node while applying a profile](https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#debugging-profiles) in the Kubernetes documentation. @@ -34,3 +32 @@ Before you begin, ensure you have: - 1. Determine the AWS Instance ID of the node you want to run the report on - - * Use the following command to list the nodes in the cluster. The instance ID is found in the name column, and begins with `i-`. + 1. Determine the AWS Instance ID of the node you want to run the report on. Use the following command to list the nodes in the cluster. The instance ID is found in the name column, and begins with `i-`: @@ -40,6 +36,2 @@ Before you begin, ensure you have: - 2. Run the following command, with the identified instance ID. - - kubectl debug node/<instance-id> -it --profile=sysadmin --image=public.ecr.aws/amazonlinux/amazonlinux:2023 -- bash -c "yum install -q -y util-linux-core; nsenter -t 1 -m apiclient report cis --level 1 --format text" - - 3. Review the report text output - + NAME STATUS ROLES AGE VERSION + i-0ea0ba0f8ef9ad609 Ready <none> 62s v1.30.10-eks-1a9dacd @@ -46,0 +39 @@ Before you begin, ensure you have: + 2. Run the following command, replacing `<instance-id>` with the instance ID of the node you want to query: @@ -47,0 +41 @@ Before you begin, ensure you have: + kubectl debug node/<instance-id> -it --profile=sysadmin --image=public.ecr.aws/amazonlinux/amazonlinux:2023 -- bash -c "yum install -q -y util-linux-core; nsenter -t 1 -m apiclient report cis --level 1 --format text" @@ -49 +43 @@ Before you begin, ensure you have: -## Command components +Components of this command include: @@ -53 +47 @@ Before you begin, ensure you have: - * `-it` — Allocates a TTY and keeps stdin open for interactive usage. + * `-it` — Allocates a TTY (command line shell) and keeps stdin open for interactive usage. @@ -55 +49 @@ Before you begin, ensure you have: - * `--profile=sysadmin` — Uses the specified kubectl profile with appropriate permissions. + * `--profile=sysadmin` — Uses the specified `kubectl` profile with appropriate permissions. @@ -57 +51 @@ Before you begin, ensure you have: - * `--image=public.ecr.aws/amazonlinux/amazonlinux:2023` — Uses Amazon Linux 2023 as the container image for debugging. + * `--image=public.ecr.aws/amazonlinux/amazonlinux:2023` — Uses `amazonlinux:2023` as the container image for debugging. @@ -59 +53 @@ Before you begin, ensure you have: - * `bash -c "…"` — Executes the following commands in a bash shell. + * `bash -c "…"` — Executes the following commands in a bash shell: @@ -63 +57 @@ Before you begin, ensure you have: - * `nsenter -t 1 -m` — Enters the namespace of the host process (PID 1). + * `nsenter -t 1 -m` — Runs `nsenter` to enter the namespace of the host process (PID 1). @@ -66,0 +61 @@ Before you begin, ensure you have: + 3. Review the report text output. @@ -70 +65,2 @@ Before you begin, ensure you have: -## Understanding the output + +## Interpreting the output @@ -78 +74 @@ The command generates a text-based report showing the compliance status of vario - * Pass/Fail status for each check + * Pass, Fail, or Skip status for each check @@ -84,0 +81,29 @@ The command generates a text-based report showing the compliance status of vario +Here is an example of output from the report run on a Bottlerocket instance: + + + Benchmark name: CIS Bottlerocket Benchmark + Version: v1.0.0 + Reference: https://www.cisecurity.org/benchmark/bottlerocket + Benchmark level: 1 + Start time: 2025-04-11T01:40:39.055623436Z + + [SKIP] 1.2.1 Ensure software update repositories are configured (Manual) + [PASS] 1.3.1 Ensure dm-verity is configured (Automatic)[PASS] 1.4.1 Ensure setuid programs do not create core dumps (Automatic) + [PASS] 1.4.2 Ensure address space layout randomization (ASLR) is enabled (Automatic) + [PASS] 1.4.3 Ensure unprivileged eBPF is disabled (Automatic) + [PASS] 1.5.1 Ensure SELinux is configured (Automatic) + [SKIP] 1.6 Ensure updates, patches, and additional security software are installed (Manual) + [PASS] 2.1.1.1 Ensure chrony is configured (Automatic) + [PASS] 3.2.5 Ensure broadcast ICMP requests are ignored (Automatic) + [PASS] 3.2.6 Ensure bogus ICMP responses are ignored (Automatic) + [PASS] 3.2.7 Ensure TCP SYN Cookies is enabled (Automatic) + [SKIP] 3.4.1.3 Ensure IPv4 outbound and established connections are configured (Manual) + [SKIP] 3.4.2.3 Ensure IPv6 outbound and established connections are configured (Manual) + [PASS] 4.1.1.1 Ensure journald is configured to write logs to persistent disk (Automatic) + [PASS] 4.1.2 Ensure permissions on journal files are configured (Automatic) + + Passed: 11 + Failed: 0 + Skipped: 4 + Total checks: 15 +