Snyk Cloud Rules Database

API endpoint of the EKS cluster is public. Anyone may be able to establish network connectivity to the API server.

How to fix?

Set the endpoint_public_access attribute in aws_eks_cluster resource to false OR Set the endpoint_public_access attribute to true and public_access_cidrs attribute to a specific IP address in aws_eks_cluster resource.

Example configuration:


resource "aws_eks_cluster" "allowed-1" {
  name     = "eks-endpoint-cidr"
  role_arn = aws_iam_role.eks_role.arn

  vpc_config {
    subnet_ids             = [aws_default_subnet.default_subnet-1.id, aws_default_subnet.default_subnet-2.id, aws_default_subnet.default_subnet-3.id]
    endpoint_public_access = true
    public_access_cidrs    = ["182.31.0.0/24"]
  }

  depends_on = [
    aws_iam_role_policy_attachment.Eks-attach-1,
    aws_iam_role_policy_attachment.Eks-attach-2,
  ]
}

resource "aws_eks_cluster" "allowed-2" {
  name     = "eks-endpoint"
  role_arn = aws_iam_role.eks_role.arn

  vpc_config {
    subnet_ids              = [aws_default_subnet.default_subnet-1.id, aws_default_subnet.default_subnet-2.id, aws_default_subnet.default_subnet-3.id]
    endpoint_public_access  = false
    endpoint_private_access = true
  }

  depends_on = [
    aws_iam_role_policy_attachment.Eks-attach-1,
    aws_iam_role_policy_attachment.Eks-attach-2,
  ]
}

resource "aws_eks_cluster" "allowed-3" {
  name     = "eks-cidr"
  role_arn = aws_iam_role.eks_role.arn

  vpc_config {
    subnet_ids          = [aws_default_subnet.default_subnet-1.id, aws_default_subnet.default_subnet-2.id, aws_default_subnet.default_subnet-3.id]
    public_access_cidrs = ["182.31.0.0/24"]
  }

  depends_on = [
    aws_iam_role_policy_attachment.Eks-attach-1,
    aws_iam_role_policy_attachment.Eks-attach-2,
  ]
}

EKS cluster allows public access Affecting EKS service in AWS

Severity

Is your environment affected by this misconfiguration?

Description

How to fix?

Terraform