Ensure AWS EKS cluster security group is not overly permissive to all traffic

ID

eks_public_access_cidr

Severity

high

Vendor

AWS

Resource

EKS (Amazon Elastic Kubernetes Service)

Tags

reachable

Description

Limiting the access and traffic in your AWS EKS cluster’s security group helps adhere to the principle of least privilege, reduces the attack surface, prevents unauthorized access, supports compliance requirements, and provides protection against DDoS attacks. It is crucial to carefully configure and review your security group rules to strike a balance between security and functionality.

It is recommended to control access by implementing AWS IAM and native Kubernetes RBAC mechanisms.

Examples

Buildtime

Terraform

resource "aws_eks_cluster" {
  name     = "example"
  role_arn = "aws_iam_role.arn"

  vpc_config {
    subnet_ids = ["subnet-12345"]

    public_access_cidrs = ["0.0.0.0/0"] (1)
  }
}
1 Ensure 0.0.0.0/0 is not set as a CIDR.

Mitigation / Fix

Buildtime

Terraform

resource "aws_eks_cluster" {
  name     = "example"
  role_arn = "aws_iam_role.arn"

  vpc_config {
    subnet_ids = ["subnet-12345"]

    endpoint_public_access = False (1)
  }
}

resource "aws_eks_cluster" {
  name     = "example"
  role_arn = "aws_iam_role.arn"

  vpc_config {
    subnet_ids = ["subnet-12345"]

    public_access_cidrs = ["10.0.0.0/16"] (2)
  }
}
1 Ensure sendpoint_public_access is disabled.
2 Ensure specific CIDR’s are set.