aquasecurity · amitk1sharma · Oct 29, 2025
diff --git a/cfg/cis-1.11/master.yaml b/cfg/cis-1.11/master.yaml
@@ -752,7 +752,7 @@ groups:
                 value: "aescbc,kms,secretbox"
         remediation: |
           Follow the Kubernetes documentation and configure a EncryptionConfig file.
-          In this file, choose aescbc, kms or secretbox as the encryption provider.
+          In this file, choose aescbc, kms, or secretbox as the encryption provider.
         scored: false
 
       - id: 1.2.29

diff --git a/cfg/cis-1.11/node.yaml b/cfg/cis-1.11/node.yaml
@@ -466,6 +466,7 @@ groups:
           Set the parameter, either via the --seccomp-default command line parameter or the
           seccompDefault configuration file setting.
           By default the seccomp profile is not enabled.
+          https://kubernetes.io/docs/tutorials/security/seccomp/#enable-the-use-of-runtimedefault-as-the-default-seccomp-profile-for-all-workloads
         scored: false
 
       - id: 4.2.15

diff --git a/cfg/eks-1.7.0/controlplane.yaml b/cfg/eks-1.7.0/controlplane.yaml
@@ -9,7 +9,7 @@ groups:
     text: "Logging"
     checks:
       - id: 2.1.1
-        text: "Enable audit Logs (Manual)"
+        text: "Enable audit Logs (Automated)"
         type: manual
         remediation: |
           From Console:
@@ -34,36 +34,37 @@ groups:
 
       - id: 2.1.2
         text: "Ensure audit logs are collected and managed (Manual)"
-        type: manual
+        type: "manual"
         remediation: |
-          Create or update the audit-policy.yaml to specify the audit logging configuration:
-          apiVersion: audit.k8s.io/v1
-          kind: Policy
-          rules:
-            - level: Metadata
-              resources:
-                - group: ""
-                  resources: ["pods"]
-          Apply the audit policy configuration to the cluster:
-            kubectl apply -f <path-to-audit-policy>.yaml
-          Ensure audit logs are forwarded to a centralized logging system like CloudWatch, Elasticsearch, or another log management solution:
-            kubectl create configmap cluster-audit-policy --from-file=audit-policy.yaml -n kube-system
-            kubectl apply -f - <<EOF
-          apiVersion: v1
-          kind: Pod
-          metadata:
-            name: audit-logging
-            namespace: kube-system
-          spec:
-            containers:
-              - name: audit-log-forwarder
-                image: my-log-forwarder-image
-                volumeMounts:
-                  - mountPath: /etc/kubernetes/audit
-                    name: audit-config
-            volumes:
-              - name: audit-config
-                configMap:
-                  name: cluster-audit-policy
-            EOF
+          1. Create or update the audit-policy.yaml to specify the audit logging configuration:
+             apiVersion: audit.k8s.io/v1
+             kind: Policy
+             rules:
+             - level: Metadata
+               resources:
+               - group: ""
+                 resources: ["pods"]
+          2. Apply the audit policy configuration to the cluster:
+             kubectl apply -f <path-to-audit-policy>.yaml
+          3. Ensure audit logs are forwarded to a centralized logging system like CloudWatch,
+             Elasticsearch, or another log management solution:
+             kubectl create configmap cluster-audit-policy --from-file=audit-policy.yaml -n kube-system
+             kubectl apply -f - <<EOF
+             apiVersion: v1
+             kind: Pod
+             metadata:
+               name: audit-logging
+               namespace: kube-system
+             spec:
+               containers:
+               - name: audit-log-forwarder
+                 image: my-log-forwarder-image
+                 volumeMounts:
+                 - mountPath: /etc/kubernetes/audit
+                   name: audit-config
+               volumes:
+               - name: audit-config
+                 configMap:
+                   name: cluster-audit-policy
+             EOF
         scored: false
diff --git a/cfg/eks-1.7.0/managedservices.yaml b/cfg/eks-1.7.0/managedservices.yaml
@@ -9,7 +9,7 @@ groups:
     text: "Image Registry and Image Scanning"
     checks:
       - id: 5.1.1
-        text: "Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider (Manual)"
+        text: "Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider (Automated)"
         type: "manual"
         remediation: |
           To utilize AWS ECR for Image scanning please follow the steps below:
@@ -95,7 +95,7 @@ groups:
     text: "Identity and Access Management (IAM)"
     checks:
       - id: 5.2.1
-        text: "Prefer using dedicated Amazon EKS Service Accounts (Manual)"
+        text: "Prefer using dedicated Amazon EKS Service Accounts (Automated)"
         type: "manual"
         remediation: |
           With IAM roles for service accounts on Amazon EKS clusters, you can associate an
@@ -144,7 +144,7 @@ groups:
     text: "Cluster Networking"
     checks:
       - id: 5.4.1
-        text: "Restrict Access to the Control Plane Endpoint (Manual)"
+        text: "Restrict Access to the Control Plane Endpoint (Automated)"
         type: "manual"
         remediation: |
           By enabling private endpoint access to the Kubernetes API server, all communication
@@ -170,7 +170,7 @@ groups:
         scored: false
 
       - id: 5.4.2
-        text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)"
+        text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Automated)"
         type: "manual"
         remediation: |
           By enabling private endpoint access to the Kubernetes API server, all communication
@@ -182,11 +182,11 @@ groups:
           aws eks update-cluster-config --region $AWS_REGION --name $CLUSTER_NAME --resources-vpc-config endpointPrivateAccess=true,endpointPublicAccess=false
 
           Note: For more detailed information, see the EKS Cluster Endpoint documentation link
-          in the references section.
+          https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
         scored: false
 
       - id: 5.4.3
-        text: "Ensure clusters are created with Private Nodes (Manual)"
+        text: "Ensure clusters are created with Private Nodes (Automated)"
         type: "manual"
         remediation: |
           aws eks update-cluster-config \
@@ -196,7 +196,7 @@ groups:
         scored: false
 
       - id: 5.4.4
-        text: "Ensure Network Policy is Enabled and set as appropriate (Manual)"
+        text: "Ensure Network Policy is Enabled and set as appropriate (Automated)"
         type: "manual"
         remediation: |
           Utilize Calico or other network policy engine to segment and isolate your traffic.

diff --git a/cfg/eks-1.7.0/node.yaml b/cfg/eks-1.7.0/node.yaml
@@ -89,7 +89,7 @@ groups:
           Disable Anonymous Authentication by setting the following parameter:
           "authentication": { "anonymous": { "enabled": false } }
 
-          Remediation Method 2.
+          Remediation Method 2:
           If using executable arguments, edit the kubelet service file on each worker node and
           ensure the below parameters are part of the KUBELET_ARGS variable string.
           For systems using systemd, such as the Amazon EKS Optimised Amazon Linux or
@@ -375,6 +375,7 @@ groups:
           test_items:
             - flag: --rotate-certificates
               path: '{.rotateCertificates}'
+              set: true
               compare:
                 op: eq
                 value: true

diff --git a/cfg/eks-1.7.0/policies.yaml b/cfg/eks-1.7.0/policies.yaml
@@ -26,10 +26,10 @@ groups:
                 op: eq
                 value: "NO_CLUSTER_ADMIN_BINDINGS"
         remediation: |
-          Identify all clusterrolebindings to the cluster-admin role. Check if they are used and if
+          Identify all ClusterRoleBindings to the cluster-admin role. Check if they are used and if
           they need this role or if they could use a role with fewer privileges.
           Where possible, first bind users to a lower privileged role and then remove the
-          clusterrolebinding to the cluster-admin role :
+          ClusterRoleBinding to the cluster-admin role :
           kubectl delete clusterrolebinding [name]
         scored: true
 
@@ -152,17 +152,17 @@ groups:
         scored: true
 
       - id: 4.1.7
-        text: "Cluster Access Manager API to streamline and enhance the management of access controls within EKS clusters (Manual)"
+        text: "Cluster Access Manager API to streamline and enhance the management of access controls within EKS clusters (Automated)"
         type: "manual"
         remediation: |
           Log in to the AWS Management Console.
-            Navigate to Amazon EKS and select your EKS cluster.
-
-            Go to the Access tab and click on "Manage Access" in the "Access Configuration section".
-            Under Cluster Authentication Mode for Cluster Access settings.
-            Click EKS API to change cluster will source authenticated IAM principals only from EKS access entry APIs.
-            Click ConfigMap to change cluster will source authenticated IAM principals only from the aws-auth ConfigMap.
-          Note: EKS API and ConfigMap must be selected during Cluster creation and cannot be changed once the Cluster is provisioned.
+          Navigate to Amazon EKS and select your EKS cluster.
+          Go to the Access tab and click on "Manage Access" in the "Access Configuration section".
+          Under Cluster Authentication Mode for Cluster Access settings.
+          * Click EKS API to change cluster will source authenticated IAM principals only from EKS access entry APIs.
+          * Click ConfigMap to change cluster will source authenticated IAM principals only from the aws-auth ConfigMap.
+          * Note: EKS API and ConfigMap must be selected during Cluster creation and
+            cannot be changed once the Cluster is provisioned.
         scored: false
 
       - id: 4.1.8
@@ -354,5 +354,6 @@ groups:
             - flag: "NO_USER_RESOURCES_IN_DEFAULT"
               set: true
         remediation: |
-          Create and use dedicated namespaces for resources instead of the default namespace. Move any user-defined objects out of the default namespace to improve resource segregation and RBAC control.
+          Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
+          resources and that all new resources are created in a specific namespace.
         scored: true
diff --git a/cfg/gke-1.8.0/config.yaml b/cfg/gke-1.8.0/config.yaml
@@ -6,4 +6,4 @@ node:
     defaultkubeconfig: "/var/lib/kubelet/kubeconfig"
 
   kubelet:
-    defaultconf: "/etc/kubernetes/kubelet-config.yaml"
+    defaultconf: "/etc/kubernetes/kubelet/kubelet-config.yaml"
diff --git a/cfg/gke-1.8.0/managedservices.yaml b/cfg/gke-1.8.0/managedservices.yaml
@@ -29,11 +29,6 @@ groups:
 
       - id: 5.1.2
         text: "Minimize user access to Container Image repositories (Manual)"
-        audit: |
-          gcloud projects get-iam-policy <project_id> \
-          --flatten="bindings[].members" \
-          --format='table(bindings.members,bindings.role)' \
-          --filter="bindings.role:roles/storage.admin OR bindings.role:roles/storage.objectAdmin OR bindings.role:roles/storage.objectCreator OR bindings.role:roles/storage.legacyBucketOwner OR bindings.role:roles/storage.legacyBucketWriter OR bindings.role:roles/storage.legacyObjectOwner"
         type: "manual"
         remediation: |
           For Images Hosted in AR:
@@ -73,11 +68,6 @@ groups:
 
       - id: 5.1.3
         text: "Minimize cluster access to read-only for Container Image repositories (Manual)"
-        audit: |
-          gcloud projects get-iam-policy <project_id> \
-          --flatten="bindings[].members" \
-          --format='table(bindings.members,bindings.role)' \
-          --filter="bindings.role:roles/storage.admin OR bindings.role:roles/storage.objectAdmin OR bindings.role:roles/storage.objectCreator OR bindings.role:roles/storage.legacyBucketOwner OR bindings.role:roles/storage.legacyBucketWriter OR bindings.role:roles/storage.legacyObjectOwner"
         type: "manual"
         remediation: |
           For Images Hosted in AR:
@@ -123,14 +113,30 @@ groups:
 
       - id: 5.1.4
         text: "Ensure only trusted container images are used (Manual)"
-        audit: |
-          gcloud container clusters describe $CLUSTER_NAME --zone $COMPUTE_ZONE --format json | jq .binaryAuthorization
         type: "manual"
         remediation: |
+          Using Google Cloud Console:
+          1. Go to Binary Authorization by visiting:
+            https://console.cloud.google.com/security/binary-authorization.
+          2. Enable the Binary Authorization API (if disabled).
+          3. Create an appropriate policy for use with the cluster. See
+            https://cloud.google.com/binary-authorization/docs/policy-yaml-reference for
+            guidance.
+          4. Go to Kubernetes Engine by visiting:
+          https://console.cloud.google.com/kubernetes/list.
+          5. Select the cluster for which Binary Authorization is disabled.
+          6. Under the details pane, within the Security section, click on the pencil icon
+            named Edit Binary Authorization.
+          7. Check the box next to Enable Binary Authorization.
+          8. Choose Enforce policy and provide a directory for the policy to be used.
+          9. Click SAVE CHANGES.
+
           Using Command Line:
           Update the cluster to enable Binary Authorization:
 
-            gcloud container cluster update <cluster_name> --enable-binauthz
+            gcloud container cluster update <cluster_name> --zone <compute_zone> --binauthz-evaluation-mode=<evaluation_mode>
+
+          See: https://cloud.google.com/sdk/gcloud/reference/container/clusters/update#--binauthz-evaluation-mode for more details around the evaluation modes available.
 
           Create a Binary Authorization Policy using the Binary Authorization Policy Reference:
           https://cloud.google.com/binary-authorization/docs/policy-yaml-reference for guidance.
@@ -144,7 +150,7 @@ groups:
     text: "Identity and Access Management (IAM)"
     checks:
       - id: 5.2.1
-        text: "Ensure GKE clusters are not running using the Compute Engine default service account (Automated))"
+        text: "Ensure GKE clusters are not running using the Compute Engine default service account (Automated)"
         audit: |
           gcloud container node-pools describe $NODE_POOL --cluster $CLUSTER_NAME --zone $COMPUTE_ZONE --format json | jq '.config.serviceAccount'
         type: "manual"
@@ -180,8 +186,6 @@ groups:
 
       - id: 5.2.2
         text: "Prefer using dedicated GCP Service Accounts and Workload Identity (Manual)"
-        audit: |
-          gcloud container clusters describe $CLUSTER_NAME --zone $COMPUTE_ZONE --format json | jq .workloadIdentityConfig
         type: "manual"
         remediation: |
           Using Command Line:
@@ -406,6 +410,11 @@ groups:
 
             gcloud container clusters create <cluster_name> --zone <compute_zone> \
               --enable-ip-alias
+
+          If using Autopilot configuration mode:
+
+            gcloud container clusters create-auto <cluster_name> \
+              --zone <compute_zone>
         scored: false
 
       - id: 5.6.3
@@ -604,6 +613,8 @@ groups:
           Create a new cluster without a Client Certificate:
             gcloud container clusters create [CLUSTER_NAME] \
               --no-issue-client-certificate
+          In addition it's important to restrict access to the CSR API in Kubernetes to prevent
+          users from using it to issue new client certificate credentials.
         scored: false
 
       - id: 5.8.2
@@ -709,10 +720,10 @@ groups:
               --cluster <cluster_name> --image-type=cos_containerd --sandbox="type=gvisor"
         scored: false
 
-      - id: 5.10.5
+      - id: 5.10.4
         text: "Enable Security Posture (Manual)"
-        audit: "gcloud container clusters --location describe"
         type: "manual"
+        audit: "gcloud container clusters --location describe"
         remediation: |
           Enable security posture via the UI, gCloud or API.
           https://cloud.google.com/kubernetes-engine/docs/how-to/protect-workload-configuration

diff --git a/cfg/gke-1.8.0/node.yaml b/cfg/gke-1.8.0/node.yaml
@@ -10,7 +10,7 @@ groups:
     checks:
       - id: 3.1.1
         text: "Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Automated)"
-        audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' '
+        audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' '
         tests:
           test_items:
             - flag: "permissions"
@@ -21,20 +21,20 @@ groups:
           Run the below command (based on the file location on your system) on each worker node.
           For example,
 
-            chmod 644 $proxykubeconfig
+            chmod 644 $kubeletkubeconfig
         scored: true
 
       - id: 3.1.2
         text: "Ensure that the kubelet kubeconfig file ownership is set to root:root (Automated)"
-        audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' '
+        audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' '
         tests:
           test_items:
             - flag: root:root
         remediation: |
           Run the below command (based on the file location on your system) on each worker node.
           For example:
 
-            chown root:root $proxykubeconfig
+            chown root:root $kubeletkubeconfig
         scored: true
 
       - id: 3.1.3

diff --git a/cfg/gke-1.8.0/policies.yaml b/cfg/gke-1.8.0/policies.yaml
@@ -418,7 +418,7 @@ groups:
         type: "manual"
         remediation: |
           Follow the Kubernetes documentation and setup image provenance.
-          Also see recommendation 5.10.4.
+          Also see recommendation 5.1.4.
         scored: false
 
   - id: 4.6