EKS node group remote access disabled
- Query id: ba40ace1-a047-483c-8a8d-bc2d3a67a82d
- Query name: EKS node group remote access disabled
- Platform: Terraform
- Severity: Medium
- Category: Networking and Firewall
- CWE: 668
- URL: Github
Description¶
EKS node group remote access is disabled when 'SourceSecurityGroups' is missing
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_eks_node_group" "positive" {
cluster_name = aws_eks_cluster.example.name
node_group_name = "example"
node_role_arn = aws_iam_role.example.arn
subnet_ids = aws_subnet.example[*].id
scaling_config {
desired_size = 1
max_size = 1
min_size = 1
}
remote_access {
ec2_ssh_key = "my-rsa-key"
}
# Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
# Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
depends_on = [
aws_iam_role_policy_attachment.example-AmazonEKSWorkerNodePolicy,
aws_iam_role_policy_attachment.example-AmazonEKS_CNI_Policy,
aws_iam_role_policy_attachment.example-AmazonEC2ContainerRegistryReadOnly,
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_eks_node_group" "negative" {
cluster_name = aws_eks_cluster.example.name
node_group_name = "example"
node_role_arn = aws_iam_role.example.arn
subnet_ids = aws_subnet.example[*].id
scaling_config {
desired_size = 1
max_size = 1
min_size = 1
}
remote_access {
ec2_ssh_key = "my-rsa-key"
source_security_groups_ids = "sg-213120ASNE"
}
# Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
# Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
depends_on = [
aws_iam_role_policy_attachment.example-AmazonEKSWorkerNodePolicy,
aws_iam_role_policy_attachment.example-AmazonEKS_CNI_Policy,
aws_iam_role_policy_attachment.example-AmazonEC2ContainerRegistryReadOnly,
]
}