使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

EKS security group being flagged by Security Hub standard

0

Hi all,

I have recently enabled Security Hub on my account where we have EKS set up via CDK. We have assigned the "AWS Foundational Security Best Practices v1.0.0" standard to Security Hub and it came up with a couple of findings. One of them is that the security group used by EKS is allowing all traffic to the ingress nodePorts. We are allowing all sources because we are doing client ip preservation on the NLB, so we can get the client IP addresses on the pods. Is there some way around this/fix so it doesn't get flagged by this standard? We enabled Security Hub to generate a report for a Facebook Data Protection Assessment that was required to our company.

Any help would be appreciated! Best Lior.

主題
安全性、身分識別與合規容器網路與內容交付
標籤
AWS 安全中心Amazon Elastic Kubernetes Service安全性群組
語言
English
Lior
已提問 1 年前檢視次數 282 次
1 個回答
0

To address this finding, you can create a security group that allows traffic only from the NLB's security group or from specific IP ranges that are trusted. You can then update your EKS cluster to use this new security group instead of the existing one. Or you could use WAF to filter traffic based on specific criteria, such as IP address or geographic location. This can provide an additional layer of security to your application while still allowing you to preserve client IP addresses.

Wilklins
已回答 1 年前
  • Lior
    1 年前

    From my understanding if I have client IP preservation, the source IP that I will see will not be from the NLBs but from the client IPs, or am I wrong in this assumption? If this is correct, then I cannot limit an IP range because the public ingress needs to allow everyone to connect to it.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容