Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0

ID

eks_node_group_remote_access

Severity

critical

Vendor

AWS

Resource

EKS

Tags

reachable

Description

Amazon EKS managed node groups automate the provisioning and lifecycle management of nodes (Amazon EC2 instances) for Amazon EKS Kubernetes clusters.

EKS node should not allow full access to SSH.

Examples

CloudFormation

{
  "Resources": {
    "Dummy": { (1)
      "Type": "AWS::EKS::Nodegroup",
      "Properties": {
        "ClusterName": "test",
        "NodeRole": "arn:aws:iam::012345678910:role/eksInstanceRole",
        "ScalingConfig": {
          "MinSize": 3,
          "DesiredSize": 5,
          "MaxSize": 7
        },
        "Labels": {
          "Key1": "Value1",
          "Key2": "Value2"
        },
        "Subnets": [
          "subnet-6782e71e",
          "subnet-e7e761ac"
        ],
        "RemoteAccess": {
          "Ec2SshKey": "SshKeyString"
        }
      }
    }
  }
}
1 SourceSecurityGroups not set means node group have implicit SSH access from 0.0.0.0/0. 
Resources:
  Dummy: (1)
    Type: 'AWS::EKS::Nodegroup'
    Properties:
      ClusterName: test
      NodeRole: 'arn:aws:iam::012345678910:role/eksInstanceRole'
      ScalingConfig:
        MinSize: 3
        DesiredSize: 5
        MaxSize: 7
      Labels:
        Key1: Value1
        Key2: Value2
      Subnets:
        - subnet-6782e71e
        - subnet-e7e761ac
      RemoteAccess:
        Ec2SshKey: SshKeyString
1 SourceSecurityGroups not set means node group have implicit SSH access from 0.0.0.0/0.

Terraform

resource "aws_eks_node_group" {
  cluster_name    = aws_eks_cluster.example.name
  node_group_name = "example"

  remote_access {
    ec2_ssh_key = "some-key"  (1)
  }
}
1 An EC2 key is set without specifying security group.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "Dummy": {
      "Type": "AWS::EKS::Nodegroup",
      "Properties": {
        "ClusterName": "test",
        "NodeRole": "arn:aws:iam::012345678910:role/eksInstanceRole",
        "ScalingConfig": {
          "MinSize": 3,
          "DesiredSize": 5,
          "MaxSize": 7
        },
        "Labels": {
          "Key1": "Value1",
          "Key2": "Value2"
        },
        "Subnets": [
          "subnet-6782e71e",
          "subnet-e7e761ac"
        ],
        "RemoteAccess": {
          "Ec2SshKey": "SshKeyString",
          "SourceSecurityGroups": [ (1)
            "sg-0"
          ]
        }
      }
    }
  }
}
1 SourceSecurityGroups set means node group does not have implicit SSH access from 0.0.0.0/0. 
Resources:
  Dummy:
    Type: 'AWS::EKS::Nodegroup'
    Properties:
      ClusterName: test
      NodeRole: 'arn:aws:iam::012345678910:role/eksInstanceRole'
      ScalingConfig:
        MinSize: 3
        DesiredSize: 5
        MaxSize: 7
      Labels:
        Key1: Value1
        Key2: Value2
      Subnets:
        - subnet-6782e71e
        - subnet-e7e761ac
      RemoteAccess:
        Ec2SshKey: SshKeyString
        SourceSecurityGroups: (1)
          - sg-0
1 SourceSecurityGroups set means node group does not have implicit SSH access from 0.0.0.0/0.

Terraform

resource "aws_eks_node_group" {
  cluster_name    = aws_eks_cluster.example.name
  node_group_name = "example"

  remote_access {
    ec2_ssh_key = "some-key"  (1)
    source_security_group_ids = "some-group"
  }
}
1 Ensure a an EC2 key is set with a specific security group.