{"id":78210,"date":"2026-03-15T12:18:27","date_gmt":"2026-03-15T06:48:27","guid":{"rendered":"https:\/\/www.tothenew.com\/blog\/?p=78210"},"modified":"2026-03-23T21:57:55","modified_gmt":"2026-03-23T16:27:55","slug":"end-to-end-container-hardening-on-amazon-eks-cis-aligned-implementation","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/end-to-end-container-hardening-on-amazon-eks-cis-aligned-implementation\/","title":{"rendered":"End-to-End Container Hardening on Amazon EKS (CIS Aligned Implementation)"},"content":{"rendered":"

Introduction<\/h2>\n

With the growing adoption of containers and Kubernetes, securing containerized workloads has become a critical responsibility for DevOps and platform teams. Organizations running workloads on Kubernetes must ensure that their infrastructure, container images, runtime configurations, and resource governance follow security best practices.<\/p>\n

In this blog, we walk through the end-to-end container hardening approach implemented on Amazon Elastic Kubernetes Service (EKS) aligned with Center for Internet Security (CIS) benchmarks. The implementation focuses on securing the host OS, container images, Dockerfiles, runtime policies, logging, and Kubernetes workloads while ensuring operational efficiency.<\/p>\n

1. Infrastructure-Level Hardening<\/strong><\/h2>\n


\n1.1 Container Host Hardened<\/strong><\/p>\n

The worker nodes run on Amazon Linux 2023 EKS-optimized AMI, which is maintained and patched by AWS to provide a secure and stable container host environment.
\nPlatform Used<\/strong>
\nAWS EKS Optimized Amazon Linux 2023 (AL2023) AMI
\nManaged by AWS<\/p>\n

Verification Commands<\/strong><\/p>\n

kubectl get nodes -o wide\r\ncat \/etc\/os-release<\/pre>\n
Expected Output:<\/strong><\/p>\n
NAME=\"Amazon Linux\"\r\nVERSION=\"2023\"<\/pre>\n
This confirms that the nodes are running the hardened and supported operating system.<\/p>\n
2. Centralized & Remote Logging<\/h2>\n
Centralized logging ensures that both application logs and control plane logs are stored remotely for monitoring, auditing, and incident investigation.<\/p>\n
2.1 Centralized Logging<\/strong>
\nApplication logs \u2192 Kibana\/Cloudwatch
\nControl plane logs \u2192 Amazon CloudWatch<\/p>\n
Enable Control Plane Logs<\/strong><\/p>\n
aws eks update-cluster-config \\\r\n--name <cluster-name> \\\r\n--logging '{\"clusterLogging\":[{\"types\":[\"api\",\"audit\",\"authenticator\",\"controllerManager\",\"scheduler\"],\"enabled\":true}]}'<\/pre>\n
Verification<\/strong><\/p>\n
aws eks describe-cluster --name <cluster-name> --query cluster.logging<\/pre>\n
EKS \u2192 Logging Enabled Page
\nCloudWatch Log Group
\nKibana Dashboard showing App Logs<\/p>\n
This ensures that API, audit, and scheduler logs are centrally collected and retained.<\/p>\n
\"log1\"<\/p>\n
\"log2\"
.<\/p><\/div>\n
3. Dockerfile Hardening Controls
\n<\/strong><\/h2>\n
3.1 No Standalone Update Commands<\/strong>
\nSecure Dockerfile Example<\/p>\n
FROM maven:3.9-eclipse-temurin-17\r\nRUN apk add --no-cache curl<\/pre>\n
\u2714 No apk update used separately
\n\u2714 Prevents stale package layer<\/p>\n
\"4.7\"<\/p>\n
Dockerfile snippet<\/strong><\/p>\n
3.2 Remove setuid\/setgid<\/strong><\/p>\n
RUN find \/ -perm \/6000 -type f -exec chmod a-s {} \\; || true<\/pre>\n
Verification<\/strong><\/p>\n
find \/ -perm \/6000 -type f\r\nExpected: No output<\/pre>\n
Terminal showing no output<\/p>\n
\"4.8\"<\/p>\n
3.3 COPY Instead of ADD<\/strong><\/p>\n
COPY target\/app.jar \/app\/app.jar<\/pre>\n
\u2714 Avoids unintended archive extraction
\n\u2714 No remote URL downloads<\/p>\n
3.4 Secrets Not Stored in Dockerfile<\/strong><\/p>\n
Secrets fetched from:<\/p>\n
AWS Systems Manager Parameter Store<\/p>\n
Example Kubernetes Config<\/strong><\/p>\n
env:\r\n- name: DB_PASSWORD\r\n  valueFrom:\r\n    secretKeyRef:\r\n      name: app-secret\r\n      key: db_password<\/pre>\n
OR via Parameter Store integration.
\nNo secrets in Dockerfile<\/p>\n
4. Image Security & Supply Chain<\/strong><\/h2>\n
\u00a04.1 Image Scanned & Zero Vulnerabilities<\/strong>
\nImages stored in:<\/p>\n
Amazon ECR<\/p>\n
Enable Image Scanning<\/p>\n
aws ecr put-image-scanning-configuration \\\r\n--repository-name <repo-name> \\\r\n--image-scanning-configuration scanOnPush=true<\/pre>\n
Check Scan Results<\/p>\n
aws ecr describe-image-scan-findings \\\r\n--repository-name <repo-name> \\\r\n--image-id imageTag=<tag><\/pre>\n
ECR \u2192 Image Scan Results \u2192 0 Vulnerabilities<\/p>\n
\"image\"<\/p>\n
4.2 Controlled Artifact Pipeline<\/strong>
\nBuilt & pushed using:<\/p>\n
docker.build(\"repo\/app:${BUILD_NUMBER}\")\r\ndocker.withRegistry('https:\/\/<account>.dkr.ecr.region.amazonaws.com', 'ecr-creds') {\r\ndocker.image(\"repo\/app:${BUILD_NUMBER}\").push()\r\n}<\/pre>\n
Jenkins Build Success
\nImage pushed to ECR<\/p>\n
5. Runtime Security Controls (Kubernetes)<\/strong><\/h2>\n
5.1 Non-Root User Enforcement<\/strong><\/p>\n
 <\/p>\n
Dockerfile\r\n<\/strong>\r\nRUN addgroup -S appgroup && adduser -S appuser -G appgroup\r\n\r\nUSER appuser\r\n\r\nKubernetes SecurityContext\r\nsecurityContext:\r\nrunAsNonRoot: true\r\nrunAsUser: 1000\r\n\r\nVerification\r\nkubectl exec -it <pod> -- id\r\n\r\nExpected:<\/strong>\r\n\r\nuid=1000(appuser)<\/pre>\n
\"security\"
.<\/p><\/div>\n
5.2 No Privileged Containers<\/strong><\/p>\n
securityContext:\r\nprivileged: false\r\nallowPrivilegeEscalation: false<\/pre>\n
Verify<\/strong><\/p>\n
kubectl get pod <pod> -o yaml | grep privileged<\/pre>\n
Expected:
\n<\/strong>privileged: false
\nPod YAML output<\/p>\n
\"5.5\"
.<\/p><\/div>\n
5.3 Linux Capabilities Dropped<\/strong><\/p>\n
securityContext:\r\ncapabilities:\r\ndrop:\r\n- ALL<\/pre>\n
Verification<\/strong>:<\/p>\n
kubectl get pod <pod> -o yaml | grep capabilities -A5<\/pre>\n
\u00a05.4 Root Filesystem Read-Only<\/strong><\/p>\n
securityContext:\r\nreadOnlyRootFilesystem: true<\/pre>\n
Verification:<\/strong><\/p>\n
kubectl exec -it <pod> -- touch \/testfile<\/pre>\n
Expected:<\/strong><\/p>\n
Read-only file system<\/p>\n
Error output<\/p>\n
\"5.13\"
.<\/p><\/div>\n
5.5 Restrict Privilege Escalation<\/strong><\/p>\n
securityContext:\r\nallowPrivilegeEscalation: false<\/pre>\n
Verification<\/strong>:<\/p>\n
kubectl get pod <pod> -o yaml | grep allowPrivilegeEscalation<\/pre>\n
6. Resource Governance<\/h2>\n
\u00a06.1 Memory Limits<\/strong><\/p>\n
resources:\r\n\u00a0 \u00a0requests:\r\n\u00a0 \u00a0 \u00a0 memory: \"256Mi\"\r\n\u00a0 \u00a0limits:\r\n\u00a0 \u00a0 \u00a0 memory: \"512Mi\"<\/pre>\n
\u00a06.2 CPU Limits<\/strong><\/p>\n
resources:\r\n\u00a0 \u00a0requests:\r\n\u00a0 \u00a0 \u00a0 cpu: \"250m\"\r\n\u00a0 \u00a0limits:\r\n\u00a0 \u00a0 \u00a0 cpu: \"500m\"<\/pre>\n
Verification:<\/p>\n
kubectl describe pod <pod><\/pre>\n
\"5.11\"<\/p>\n
6.3 Restart Policy<\/strong><\/p>\n
kubectl describe pod <pod> | grep Restart<\/pre>\n
Expected:<\/p>\n
Restart Policy: Always<\/pre>\n
6.4 Liveness & Readiness Probes<\/strong><\/p>\n
Verification:<\/strong><\/p>\n
kubectl describe pod <pod><\/pre>\n
\"5.27\"<\/p>\n
7. Sprawl Prevention<\/strong><\/h2>\n
7.1 Container Sprawl Avoided<\/strong>
\nCheck container runtime:<\/p>\n
ctr -n k8s.io containers list<\/pre>\n
Ensure:
\nNo STOPPED containers
\nNo orphaned tasks<\/p>\n
ctr -n k8s.io tasks list<\/pre>\n
Only RUNNING tasks
\nNo DEAD containers<\/p>\n
\"6.2\"
.<\/p><\/div>\n
7.2 Image Sprawl Avoided<\/strong><\/p>\n
ctr -n k8s.io images list<\/pre>\n
Verify:<\/p>\n
Only workload images present
\nNo uncontrolled image accumulation<\/h3>\n
8. Latest Images Used (Immutable Tags)<\/h2>\n
Deployment YAML<\/strong><\/p>\n
image: repo\/app:1.0.145\r\nimagePullPolicy: IfNotPresent<\/pre>\n
\u2714 Unique tag per build
\n\u2714 Helm updates tag every deployment<\/p>\n
Verify:<\/strong><\/p>\n
kubectl describe pod <pod> | grep Image:<\/pre>\n
Pod showing latest tag<\/p>\n
9. Network Exposure Restricted<\/h2>\n
9.1 Only Required Ports Exposed<\/strong><\/p>\n
Container:\r\n\u00a0 \u00a0ports:\r\n\u00a0 \u00a0 - containerPort: 8080\r\nService:\r\n\u00a0 \u00a0ports:\r\n\u00a0 \u00a0- port: 80\r\n\u00a0 \u00a0 targetPort: 8080<\/pre>\n
Verification:<\/strong><\/p>\n
kubectl get svc<\/pre>\n
Conclusion<\/h3>\n
Container security requires a layered defense approach that spans infrastructure, images, pipelines, and runtime controls. By implementing these CIS-aligned hardening measures on Amazon EKS, organizations can significantly reduce the attack surface while maintaining scalability and operational efficiency.<\/p>\n
This end-to-end approach ensures that containers are secure by design, continuously monitored, and governed through Kubernetes-native controls, providing a strong foundation for running production workloads securely in the cloud.<\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
Introduction With the growing adoption of containers and Kubernetes, securing containerized workloads has become a critical responsibility for DevOps and platform teams. Organizations running workloads on Kubernetes must ensure that their infrastructure, container images, runtime configurations, and resource governance follow security best practices. In this blog, we walk through the end-to-end container hardening approach implemented […]<\/p>\n","protected":false},"author":2010,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":19},"categories":[2348],"tags":[8445,8446],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/78210"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/2010"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=78210"}],"version-history":[{"count":5,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/78210\/revisions"}],"predecessor-version":[{"id":78487,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/78210\/revisions\/78487"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=78210"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=78210"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=78210"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}