Severity Framework
Snyk CCSS
Rule category
Containers / Public Access
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
- Snyk ID SNYK-CC-00225
- credit Snyk Research Team
Description
API endpoint of the EKS cluster is public. Anyone may be able to establish network connectivity to the API server.
How to fix?
Set the endpoint_public_access
attribute in aws_eks_cluster
resource to false
OR Set the endpoint_public_access
attribute to true
and public_access_cidrs
attribute to a specific IP address in aws_eks_cluster
resource.
Example Configuration
resource "aws_eks_cluster" "allowed-1" {
name = "eks-endpoint-cidr"
role_arn = aws_iam_role.eks_role.arn
vpc_config {
subnet_ids = [aws_default_subnet.default_subnet-1.id, aws_default_subnet.default_subnet-2.id, aws_default_subnet.default_subnet-3.id]
endpoint_public_access = true
public_access_cidrs = ["182.31.0.0/24"]
}
depends_on = [
aws_iam_role_policy_attachment.Eks-attach-1,
aws_iam_role_policy_attachment.Eks-attach-2,
]
}
resource "aws_eks_cluster" "allowed-2" {
name = "eks-endpoint"
role_arn = aws_iam_role.eks_role.arn
vpc_config {
subnet_ids = [aws_default_subnet.default_subnet-1.id, aws_default_subnet.default_subnet-2.id, aws_default_subnet.default_subnet-3.id]
endpoint_public_access = false
endpoint_private_access = true
}
depends_on = [
aws_iam_role_policy_attachment.Eks-attach-1,
aws_iam_role_policy_attachment.Eks-attach-2,
]
}
resource "aws_eks_cluster" "allowed-3" {
name = "eks-cidr"
role_arn = aws_iam_role.eks_role.arn
vpc_config {
subnet_ids = [aws_default_subnet.default_subnet-1.id, aws_default_subnet.default_subnet-2.id, aws_default_subnet.default_subnet-3.id]
public_access_cidrs = ["182.31.0.0/24"]
}
depends_on = [
aws_iam_role_policy_attachment.Eks-attach-1,
aws_iam_role_policy_attachment.Eks-attach-2,
]
}