EKS Cluster Has Public Access CIDRs
- Query id: 61cf9883-1752-4768-b18c-0d57f2737709
- Query name: EKS Cluster Has Public Access CIDRs
- Platform: Terraform
- Severity: High
- Category: Networking and Firewall
- URL: Github
Description¶
Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_eks_cluster" "positive1" {
name = "example"
role_arn = aws_iam_role.example.arn
vpc_config {
subnet_ids = [aws_subnet.example1.id, aws_subnet.example2.id]
endpoint_public_access = true
public_access_cidrs = ["0.0.0.0/0"]
}
# Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
# Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
depends_on = [
aws_iam_role_policy_attachment.example-AmazonEKSClusterPolicy,
]
}
output "endpoint" {
value = aws_eks_cluster.example.endpoint
}
output "kubeconfig-certificate-authority-data" {
value = aws_eks_cluster.example.certificate_authority[0].data
}
resource "aws_eks_cluster" "positive2" {
name = "without_example"
role_arn = aws_iam_role.example.arn
vpc_config {
subnet_ids = [aws_subnet.example1.id, aws_subnet.example2.id]
endpoint_public_access = true
}
# Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
# Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
depends_on = [
aws_iam_role_policy_attachment.example-AmazonEKSClusterPolicy,
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_eks_cluster" "negative1" {
name = "example"
role_arn = aws_iam_role.example.arn
vpc_config {
subnet_ids = [aws_subnet.example1.id, aws_subnet.example2.id]
endpoint_public_access = true
public_access_cidrs = ["1.1.1.1/1"]
}
# Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
# Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
depends_on = [
aws_iam_role_policy_attachment.example-AmazonEKSClusterPolicy,
]
}
output "endpoint" {
value = aws_eks_cluster.example.endpoint
}
output "kubeconfig-certificate-authority-data" {
value = aws_eks_cluster.example.certificate_authority[0].data
}