AWS EKS node group have implicit SSH access from 0.0.0.0/0
Description
It is generally a good security practice to ensure that your AWS EKS node group does not have implicit SSH access from 0.0.0.0/0, as this means that it is not accessible over the internet via SSH. This can help to protect your EKS node group from unauthorized access, as external parties will not be able to connect to it over the internet.
Code Example
go
resource "aws_eks_node_group" "test" {
...
cluster_name = aws_eks_cluster.example.name
remote_access {
ec2_ssh_key = "some-key"
+ source_security_group_ids = "some-group"
}
}Remediation
Terraform
- Resource: aws_eks_node_group
- Arguments: remote_access/source_security_group_ids Makes sure there is no remote access block or the addition of source_security_group_ids
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0153 |
| Severity | HIGH |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_100 |