Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0
Error: AWS EKS node group has implicit SSH access from 0.0.0.0/0
Bridgecrew Policy ID: BC_AWS_KUBERNETES_5
Checkov Check ID: CKV_AWS_100
Severity: HIGH
Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0
Description
Make sure your EKS node group does not allow full access to SSH.
Fix - Buildtime
Terraform
- Resource: aws_eks_node_group
- Argument: remote_access/source_security_group_ids
Makes sure there is no remote access block or the addition of source_security_group_ids
resource "aws_eks_node_group" "test" {
...
cluster_name = aws_eks_cluster.example.name
remote_access {
ec2_ssh_key = "some-key"
+ source_security_group_ids = "some-group"
}
}
CloudFormation
- Resource: AWS::EKS::Nodegroup
- Argument: Properties.RemoteAccess
Resources:
Nodegroup1:
Type: 'AWS::EKS::Nodegroup'
Properties:
...
RemoteAccess:
Ec2SshKey: <ssh key>
+ SourceSecurityGroups:
+ - ...
Nodegroup2:
Type: 'AWS::EKS::Nodegroup'
Properties:
...
- RemoteAccess:
- ...
Updated about 2 months ago
Did this page help you?