EKS Cluster Has Public Access
- Query id: 42f4b905-3736-4213-bfe9-c0660518cda8
- Query name: EKS Cluster Has Public Access
- Platform: Terraform
- Severity: Medium
- Category: Insecure Configurations
- CWE: Ongoing
- URL: Github
Description¶
Amazon EKS public endpoint shoud be set to false
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_eks_cluster" "positive1" {
name = "example"
role_arn = aws_iam_role.example.arn
vpc_config {
subnet_ids = [aws_subnet.example1.id, aws_subnet.example2.id]
endpoint_public_access = true
}
# Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
# Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
depends_on = [
aws_iam_role_policy_attachment.example-AmazonEKSClusterPolicy,
]
}
output "endpoint" {
value = aws_eks_cluster.example.endpoint
}
output "kubeconfig-certificate-authority-data" {
value = aws_eks_cluster.example.certificate_authority[0].data
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_eks_cluster" "negative1" {
name = "example"
role_arn = aws_iam_role.example.arn
vpc_config {
subnet_ids = [aws_subnet.example1.id, aws_subnet.example2.id]
endpoint_public_access = false
}
# Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
# Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
depends_on = [
aws_iam_role_policy_attachment.example-AmazonEKSClusterPolicy,
]
}
output "endpoint" {
value = aws_eks_cluster.example.endpoint
}
output "kubeconfig-certificate-authority-data" {
value = aws_eks_cluster.example.certificate_authority[0].data
}