CIS Amazon EKS Benchmark, continuously evidenced.
The CIS Amazon Elastic Kubernetes Service Benchmark v1.8.0 defines 48 controls specific to EKS clusters: IAM integration for cluster authentication, control-plane logging to CloudWatch, network policy via VPC CNI, EKS managed node groups, and EKS-specific control-plane hardening. Combined with the CIS Kubernetes Benchmark, this provides full EKS evidence.
Amazon EKS benchmark at a glance.
- Benchmark version
- v1.8.0
- Total controls
- 48
- Scan type
- Agentless
- Available tier
- Pro and above
- Category
- Container & Orchestration
- Drift detection
- Yes, between every scheduled scan
What this benchmark actually covers.
- IAM authentication and authorization
- Control-plane logging to CloudWatch
- Network Policy (VPC CNI)
- EKS managed node groups
- AWS PrivateLink + private cluster endpoints
- EKS-specific control-plane hardening
Amazon EKS questions, answered directly.
How does CISGuard authenticate to EKS clusters?
CISGuard uses an IAM role mapped to a Kubernetes RBAC binding in the cluster. The IAM role is granted minimal read permissions via the EKS aws-auth ConfigMap. Multi-cluster scanning uses a centralized scanning identity with cross-cluster RBAC.
Does CISGuard support EKS Fargate?
Yes. EKS Fargate (serverless containers) is supported. Fargate-specific controls focus on pod configuration since there are no customer-managed nodes. CISGuard validates Fargate profile configuration, pod security context, and applicable subset of Kubernetes benchmark controls.
Can CISGuard scan EKS on AWS GovCloud?
Yes. EKS on AWS GovCloud (US-East and US-West) is supported. CISGuard configuration accommodates the GovCloud endpoints. GovCloud customers get the same Framework Coverage Reports as commercial AWS customers.
Often deployed together with Amazon EKS.
Want a Amazon EKS scan of your environment?
Our compliance engineers will scope your environment and quote within one business day of an initial briefing.