Severity Framework
Snyk CCSS
Rule category
Containers / Public Access
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
- Snyk ID SNYK-CC-00225
- credit Snyk Research Team
Description
API endpoint of the EKS cluster is public. Anyone may be able to establish network connectivity to the API server.
How to fix?
Set the endpoint_public_access attribute in aws_eks_cluster resource to false OR Set the endpoint_public_access attribute to true and public_access_cidrs attribute to a specific IP address in aws_eks_cluster resource.
Example Configuration
resource "aws_eks_cluster" "allowed-1" {
name = "eks-endpoint-cidr"
role_arn = aws_iam_role.eks_role.arn
vpc_config {
subnet_ids = [aws_default_subnet.default_subnet-1.id, aws_default_subnet.default_subnet-2.id, aws_default_subnet.default_subnet-3.id]
endpoint_public_access = true
public_access_cidrs = ["182.31.0.0/24"]
}
depends_on = [
aws_iam_role_policy_attachment.Eks-attach-1,
aws_iam_role_policy_attachment.Eks-attach-2,
]
}
resource "aws_eks_cluster" "allowed-2" {
name = "eks-endpoint"
role_arn = aws_iam_role.eks_role.arn
vpc_config {
subnet_ids = [aws_default_subnet.default_subnet-1.id, aws_default_subnet.default_subnet-2.id, aws_default_subnet.default_subnet-3.id]
endpoint_public_access = false
endpoint_private_access = true
}
depends_on = [
aws_iam_role_policy_attachment.Eks-attach-1,
aws_iam_role_policy_attachment.Eks-attach-2,
]
}
resource "aws_eks_cluster" "allowed-3" {
name = "eks-cidr"
role_arn = aws_iam_role.eks_role.arn
vpc_config {
subnet_ids = [aws_default_subnet.default_subnet-1.id, aws_default_subnet.default_subnet-2.id, aws_default_subnet.default_subnet-3.id]
public_access_cidrs = ["182.31.0.0/24"]
}
depends_on = [
aws_iam_role_policy_attachment.Eks-attach-1,
aws_iam_role_policy_attachment.Eks-attach-2,
]
}