Skip to content

Add Phase 1 EKS Infrastructure Support (EKS Cluster & Node Group Checks) #40

New issue
New issue
Open
Open
Add Phase 1 EKS Infrastructure Support (EKS Cluster & Node Group Checks)#40
@thatmikereed

Description

@thatmikereed
thatmikereed
opened on Feb 18, 2026

Summary

This issue proposes Phase 1 support for Amazon EKS (Elastic Kubernetes Service) infrastructure checks in ci_lambda_checks. This would allow basic security, compliance, and configuration evaluations for EKS resources in a manner similar to current EC2 resource monitoring.

Background

Currently, the project supports only traditional AWS EC2 resource types (instances, VPCs, security groups, subnets, etc.). AWS EKS is widely used, so extending these checks to EKS infrastructure provides greater security coverage in AWS environments.

Scope (Phase 1)

  • Add support for infrastructure-level checks on:
    • EKS Clusters (AWS::EKS::Cluster)
    • EKS Managed Node Groups (AWS::EKS::Nodegroup)
  • Use AWS Config events as the evaluation trigger (like for EC2)
  • Only cluster and node group configuration checks; no pod/container-level checks yet.

Proposed Implementation

1. Update config.js with Two New Check Configurations

  • eksInfrastructure (checks cluster logging, version, endpoint access, secrets encryption)
  • eksNodeGroup (checks AMI type, update configuration, required tags, scaling configuration)

2. Update utilities/assets.js for EKS Asset Type Mappings

  • assetType for:
    • AWS::EKS::Clustereks-cluster
    • AWS::EKS::Nodegroupeks-nodegroup
    • AWS::EKS::FargateProfileeks-fargate
  • Add a helper for querying EKS clusters

3. Add New EKS Check Modules

  • checks/eksInfrastructure.js: Handles cluster-level checks as proposed
  • checks/eksNodeGroup.js: Handles node group-level checks as proposed

4. Update checks/awsConfigRules.js

  • Add EKS-related resource type mappings for cluster, node group, fargate

5. New Documentation

  • Add a file (README_EKS.md) documenting EKS checks, policies, and configuration

Benefits

  • Expands ci_lambda_checks coverage to modern Kubernetes infrastructure on AWS
  • Leverages existing AWS Config event-driven architecture
  • Security/compliance parity with EC2 resource evaluations at the infrastructure level
  • Checks are disabled by default; opt in as needed

Testing & Compatibility

  • No breaking changes; existing checks and flows remain unaffected
  • EKS checks must be enabled and AWS Config must record EKS resources
  • See README_EKS.md for policy details and test guidance

Full Proposed Changes

The full proposed code and documentation are available and ready to integrate. Please comment if you have feedback or would like review before I branch the code, make the changes, and a pull request is created for review!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions