EKS node group remote access

  • Query id: 73d59e76-a12c-4b74-a3d8-d3e1e19c25b3
  • Query name: EKS node group remote access
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Networking and Firewall
  • CWE: Ongoing
  • URL: Github

Description

Ensure Amazon EKS Node group has implict SSH access
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Resources:
  EKSNodegroup:
    Type: 'AWS::EKS::Nodegroup'
    Properties:
      ClusterName: prod
      NodeRole: 'arn:aws:iam::012345678910:role/eksInstanceRole'
      ScalingConfig:
        MinSize: 3
        DesiredSize: 5
        MaxSize: 7
      Labels:
        Key1: Value1
        Key2: Value2
      Subnets:
        - subnet-6782e71e
        - subnet-e7e761ac
      RemoteAccess:
        Ec2SshKey: ED25519
Positive test num. 2 - json file
{
  "Resources": {
    "EKSNodegroup": {
      "Type": "AWS::EKS::Nodegroup",
      "Properties": {
        "ClusterName": "prod",
        "NodeRole": "arn:aws:iam::012345678910:role/eksInstanceRole",
        "ScalingConfig": {
          "MinSize": 3,
          "DesiredSize": 5,
          "MaxSize": 7
        },
        "Labels": {
          "Key1": "Value1",
          "Key2": "Value2"
        },
        "Subnets": [
          "subnet-6782e71e",
          "subnet-e7e761ac"
        ],
        "RemoteAccess": {
          "Ec2SshKey": "ED25519"
        }
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Resources:
  SSHAccessToNodeSG:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: !Ref VpcId
      GroupName: !Sub "${Project}-${Environment}-${EKSClusterName}-ssh-access-to-workers-source-sg"
      GroupDescription: attach this sg to an instance to let it access via ssh to the eks node
      Tags:
      - Key: Environment
        Value: !Ref Environment
      - Key: Project
        Value: !Ref Project
  EKSNodegroup:
    Type: 'AWS::EKS::Nodegroup'
    Properties:
      ClusterName: prod
      NodeRole: 'arn:aws:iam::012345678910:role/eksInstanceRole'
      ScalingConfig:
        MinSize: 3
        DesiredSize: 5
        MaxSize: 7
      Labels:
        Key1: Value1
        Key2: Value2
      Subnets:
        - subnet-6782e71e
        - subnet-e7e761ac
      RemoteAccess:
        Ec2SshKey: ED25519
        SourceSecurityGroups: 
          - !Ref SSHAccessToNodeSG                            
Negative test num. 2 - json file
{
  "Resources": {
    "SSHAccessToNodeSG": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "VpcId": "VpcId",
        "GroupName": "${Project}-${Environment}-${EKSClusterName}-ssh-access-to-workers-source-sg",
        "GroupDescription": "attach this sg to an instance to let it access via ssh to the eks node",
        "Tags": [
          {
            "Key": "Environment",
            "Value": "Environment"
          },
          {
            "Key": "Project",
            "Value": "Project"
          }
        ]
      }
    },
    "EKSNodegroup": {
      "Properties": {
        "RemoteAccess": {
          "Ec2SshKey": "ED25519",
          "SourceSecurityGroups": [
            "SSHAccessToNodeSG"
          ]
        },
        "ClusterName": "prod",
        "NodeRole": "arn:aws:iam::012345678910:role/eksInstanceRole",
        "ScalingConfig": {
          "MinSize": 3,
          "DesiredSize": 5,
          "MaxSize": 7
        },
        "Labels": {
          "Key1": "Value1",
          "Key2": "Value2"
        },
        "Subnets": [
          "subnet-6782e71e",
          "subnet-e7e761ac"
        ]
      },
      "Type": "AWS::EKS::Nodegroup"
    }
  }
}