EKS.1: An EKS cluster API endpoint is public

What does AWS Security Hub EKS.1 check?

EKS.1 fails when a cluster's Kubernetes API server endpoint is publicly accessible. The endpoint has three access modes — public, private, and public restricted to a CIDR — and the default is public.

Why does EKS.1 matter?

Public EKS endpoints are trivially discoverable: the hostname pattern and the TLS certificate mean internet-wide scanners and certificate-transparency feeds catalogue tens of thousands of them. A cluster stood up for a weekend experiment can be enumerated by a bot before you have finished your coffee — exposing the API server to the whole internet rather than just your network.

How do I fix EKS.1?

1. Audit clusters and check the endpoint access config to find those with public access on.
2. Flip the cluster to private access, or restrict public access to known CIDRs — both can be done in place without recreating the cluster.
3. Provide a path for operators (bastion, VPN, or CI in-VPC) so kubectl still works once the endpoint is private.
4. Add a guardrail (SCP or Config rule) so new clusters are not born with an open public endpoint.

# Close the highest-blast-radius mode first: confirm and remove the root access key.
# (Deletion is done as the root user via the console; an IAM identity cannot do it.)
aws iam get-account-summary --query 'SummaryMap.AccountAccessKeysPresent'
# Expect 0 after deletion.

# Close a public EKS endpoint (only after confirming a private path exists).
aws eks update-cluster-config --name svc-orders \
  --resources-vpc-config endpointPublicAccess=false,endpointPrivateAccess=true

# Disable legacy ACLs on a bucket and let policy govern access.
aws s3api put-bucket-ownership-controls --bucket my-legacy-assets \
  --ownership-controls 'Rules=[{ObjectOwnership=BucketOwnerEnforced}]'

# Migrate a Transfer Family server off plain FTP to SFTP only.
aws transfer update-server --server-id s-0a1b2c3d4e5f --protocols SFTP