Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0

Error: AWS EKS node group has implicit SSH access from 0.0.0.0/0

Bridgecrew Policy ID: BC_AWS_KUBERNETES_5
Checkov Check ID: CKV_AWS_100
Severity: HIGH

Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0

Description

It is generally a good security practice to ensure that your AWS EKS node group does not have implicit SSH access from 0.0.0.0/0, as this means that it is not accessible over the internet via SSH. This can help to protect your EKS node group from unauthorized access, as external parties will not be able to connect to it over the internet.

Fix - Buildtime

Terraform

  • Resource: aws_eks_node_group
  • Argument: remote_access/source_security_group_ids
    Makes sure there is no remote access block or the addition of source_security_group_ids
resource "aws_eks_node_group" "test" {
  ...
  cluster_name    = aws_eks_cluster.example.name
  remote_access {
    ec2_ssh_key = "some-key"
+    source_security_group_ids = "some-group"
  }
}

CloudFormation

  • Resource: AWS::EKS::Nodegroup
  • Argument: Properties.RemoteAccess
Resources:
  Nodegroup1:
    Type: 'AWS::EKS::Nodegroup'
    Properties:
      ...
      RemoteAccess: 
        Ec2SshKey: <ssh key>
+       SourceSecurityGroups: 
+         - ...

  Nodegroup2:
    Type: 'AWS::EKS::Nodegroup'
    Properties:
      ...
-     RemoteAccess:
-				...