EKS node group remote access
- Query id: 73d59e76-a12c-4b74-a3d8-d3e1e19c25b3
- Query name: EKS node group remote access
- Platform: CloudFormation
- Severity: Medium
- Category: Networking and Firewall
- CWE: 668
- URL: Github
Description¶
Ensure Amazon EKS Node group has implict SSH access
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
EKSNodegroup:
Type: 'AWS::EKS::Nodegroup'
Properties:
ClusterName: prod
NodeRole: 'arn:aws:iam::012345678910:role/eksInstanceRole'
ScalingConfig:
MinSize: 3
DesiredSize: 5
MaxSize: 7
Labels:
Key1: Value1
Key2: Value2
Subnets:
- subnet-6782e71e
- subnet-e7e761ac
RemoteAccess:
Ec2SshKey: ED25519
Positive test num. 2 - json file
{
"Resources": {
"EKSNodegroup": {
"Type": "AWS::EKS::Nodegroup",
"Properties": {
"ClusterName": "prod",
"NodeRole": "arn:aws:iam::012345678910:role/eksInstanceRole",
"ScalingConfig": {
"MinSize": 3,
"DesiredSize": 5,
"MaxSize": 7
},
"Labels": {
"Key1": "Value1",
"Key2": "Value2"
},
"Subnets": [
"subnet-6782e71e",
"subnet-e7e761ac"
],
"RemoteAccess": {
"Ec2SshKey": "ED25519"
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
SSHAccessToNodeSG:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref VpcId
GroupName: !Sub "${Project}-${Environment}-${EKSClusterName}-ssh-access-to-workers-source-sg"
GroupDescription: attach this sg to an instance to let it access via ssh to the eks node
Tags:
- Key: Environment
Value: !Ref Environment
- Key: Project
Value: !Ref Project
EKSNodegroup:
Type: 'AWS::EKS::Nodegroup'
Properties:
ClusterName: prod
NodeRole: 'arn:aws:iam::012345678910:role/eksInstanceRole'
ScalingConfig:
MinSize: 3
DesiredSize: 5
MaxSize: 7
Labels:
Key1: Value1
Key2: Value2
Subnets:
- subnet-6782e71e
- subnet-e7e761ac
RemoteAccess:
Ec2SshKey: ED25519
SourceSecurityGroups:
- !Ref SSHAccessToNodeSG
Negative test num. 2 - json file
{
"Resources": {
"SSHAccessToNodeSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": "VpcId",
"GroupName": "${Project}-${Environment}-${EKSClusterName}-ssh-access-to-workers-source-sg",
"GroupDescription": "attach this sg to an instance to let it access via ssh to the eks node",
"Tags": [
{
"Key": "Environment",
"Value": "Environment"
},
{
"Key": "Project",
"Value": "Project"
}
]
}
},
"EKSNodegroup": {
"Properties": {
"RemoteAccess": {
"Ec2SshKey": "ED25519",
"SourceSecurityGroups": [
"SSHAccessToNodeSG"
]
},
"ClusterName": "prod",
"NodeRole": "arn:aws:iam::012345678910:role/eksInstanceRole",
"ScalingConfig": {
"MinSize": 3,
"DesiredSize": 5,
"MaxSize": 7
},
"Labels": {
"Key1": "Value1",
"Key2": "Value2"
},
"Subnets": [
"subnet-6782e71e",
"subnet-e7e761ac"
]
},
"Type": "AWS::EKS::Nodegroup"
}
}
}