EKS Cluster Encryption Disabled

Query id: 8e5ef52b-e673-4c3f-9b2e-99cdd0139059
Query name: EKS Cluster Encryption Disabled
Platform: CloudFormation
Severity: High
Category: Encryption
CWE: 311
Risk score: 6.0
URL: Github

Description¶

EKS Cluster should be encrypted
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - yaml file

< Re

Positive test num. 2 - json file

Positive test num. 3 - yaml file

< Re

/span>

AWSTemplateFormatVersion: 2010-09-09 sources: MyEKSClusterA: Type: 'AWS::EKS::Cluster' class="w">    Properties: Name: dev Version: '1.14' RoleArn: >- arn:aws:iam::123456789012:role/eks-service-role-AWSServiceRoleForAmazonEKS-NEWROLE1234 ResourcesVpcConfig: SecurityGroupIds: - sg-123abc45 SubnetIds: - subnet-1111aaaa - subnet-2222bbbb /span>{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "MyEKSClusterA": { "Type": "AWS::EKS::Cluster", class="w">            "Properties": { "Name": "dev", "Version": "1.14", "RoleArn": "arn:aws:iam::123456789012:role/eks-service-role-AWSServiceRoleForAmazonEKS-NEWROLE1234", "ResourcesVpcConfig": { "SecurityGroupIds": [ "sg-123abc45" ], "SubnetIds": [ "subnet-1111aaaa", "subnet-2222bbbb" ] } } } } } /span>AWSTemplateFormatVersion: 2010-09-09 sources: MyEKSClusterB: Type: 'AWS::EKS::Cluster' Properties: Name: dev Version: '1.14' RoleArn: >- arn:aws:iam::123456789012:role/eks-service-role-AWSServiceRoleForAmazonEKS-NEWROLE1234 ResourcesVpcConfig: SecurityGroupIds: - sg-123abc45 SubnetIds: - subnet-1111aaaa - subnet-2222bbbb class="w">      EncryptionConfig: - Resources: - not_secrets
Positive test num. 4 - json file

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Resources": {
        "MyEKSClusterB": {
            "Type": "AWS::EKS::Cluster",
            "Properties": {
                "Name": "dev",
                "Version": "1.14",
                "RoleArn": "arn:aws:iam::123456789012:role/eks-service-role-AWSServiceRoleForAmazonEKS-NEWROLE1234",
                "ResourcesVpcConfig": {
                    "SecurityGroupIds": [
                        "sg-123abc45"
                    ],
                    "SubnetIds": [
                        "subnet-1111aaaa",
                        "subnet-2222bbbb"
                    ]
                },
                "EncryptionConfig": [
                    {
                        "Resources": [
                            "not_secrets"
                        ]
                    }
                ]
            }
        }
    }
}



Code samples without security vulnerabilities¶
Negative test num. 1 - yaml fileAWSTemplateFormatVersion: 2010-09-09
Resources:
  myCluster:
    Type: 'AWS::EKS::Cluster'
    Properties:
      Name: prod
      Version: '1.14'
      RoleArn: >-
        arn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-EXAMPLEBQ4PI
      ResourcesVpcConfig:
        SecurityGroupIds:
          - sg-6979fe18
        SubnetIds:
          - subnet-6782e71e
          - subnet-e7e761ac
      EncryptionConfig:
        - Resources:
          - secrets

Negative test num. 2 - json file{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Resources": {
        "myCluster": {
            "Type": "AWS::EKS::Cluster",
            "Properties": {
                "Name": "prod",
                "Version": "1.14",
                "RoleArn": "arn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-EXAMPLEBQ4PI",
                "ResourcesVpcConfig": {
                    "SecurityGroupIds": [
                        "sg-6979fe18"
                    ],
                    "SubnetIds": [
                        "subnet-6782e71e",
                        "subnet-e7e761ac"
                    ]
                },
                "EncryptionConfig": [
                    {
                        "Resources": [
                            "secrets"
                        ]
                    }
                ]
            }
        }
    }
}