Create eks.tf #5
Conversation
![bridgecrew[bot]](https://avatars.githubusercontent.com/in/52968?s=60&v=4){kind=small}
| git_repo = "terragoat" | ||
| yor_trace = "7fa14261-c18d-4fa2-aec4-746f6e64d2d3" | ||
| } | ||
| } |
There was a problem hiding this comment.
| } | |
| encryption_config { | |
| resources = ["secrets"] | |
| } | |
| } |
Ensure AWS EKS cluster has secrets encryption enabled
Resource: aws_eks_cluster.eks_cluster | ID: BC_AWS_KUBERNETES_3
Description
Secrets in Kubernetes enables managing sensitive information such as passwords and API keys using Kubernetes-native APIs. When creating a secret resource the Kubernetes API server stores it in **etcd** in a base64 encoded form. For example, using kubectl create secret, EKS can encrypt etcd volumes at disk-level using AWS-managed encryption keys.AWS encourages using envelope encryption to encrypt a key with another key. The motivation is security best practice. Applications store sensitive data as part of a defense in depth security strategy. A master key is stored in AWS KMS that is then utilized for data key generation in the Kubernetes API server. It is also used to encrypt/decrypt sensitive data stored in Kubernetes secrets.
Benchmarks
- PCI-DSS V3.2 3
| }) | ||
| } | ||
|
|
||
| resource aws_eks_cluster "eks_cluster" { |
There was a problem hiding this comment.
Ensure AWS EKS control plane logging is enabled
Resource: aws_eks_cluster.eks_cluster | ID: BC_AWS_KUBERNETES_4
Description
Amazon EKS control plane logging provides valuable diagnostic logs for all control plane related actions. Logging streams include cover for the following modules:- Kubernetes API server component logs (api)‚ see kube-apiserver in the Kubernetes documentation.
- Audit (audit). Kubernetes audit logs provide a record of the individual users, administrators, or system components that have affected your cluster. For more information, see Auditing in the Kubernetes documentation.
- Authenticator (authenticator). For more information, see authorization in the Kubernetes documentation.
- Controller manager (controllerManager). For more information, see kube-controller-manager in the Kubernetes documentation.
- Scheduler (scheduler). For more information, see kube-scheduler in the Kubernetes documentation.
Amazon EKS control plane logging is used to detect anomalous configuration activity by your customer. It is used to track configuration changes conducted manually and programmatically, and trace back unapproved changes.
Benchmarks
- HIPAA 164.312(B) Audit controls
| vpc_id = aws_vpc.eks_vpc.id | ||
| cidr_block = "10.10.10.0/24" | ||
| availability_zone = "${var.region}a" | ||
| map_public_ip_on_launch = true |
There was a problem hiding this comment.
| map_public_ip_on_launch = true |
Ensure VPC subnets do not assign public IP by default
Resource: aws_subnet.eks_subnet1 | ID: BC_AWS_NETWORKING_53
Description
VPC subnet is a part of the VPC having its own rules for traffic. Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.| role = aws_iam_role.iam_for_eks.name | ||
| } | ||
|
|
||
| resource aws_vpc "eks_vpc" { |
There was a problem hiding this comment.
Ensure AWS Default Security Group restricts all traffic
Resource: aws_vpc.eks_vpc | ID: BC_AWS_NETWORKING_4
How to Fix
resource "aws_default_security_group" "default" {
vpc_id = aws_vpc.ok_vpc.id
}Description
A VPC comes with a default security group that has an initial setting denying all inbound traffic, allowing all outbound traffic, and allowing all traffic between instances assigned to the security group. If you do not specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources.We recommend that your default security group restricts all inbound and outbound traffic. The default VPC in every region should have its default security group updated to comply with this recommendation. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.
Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups. This in-turn reduces the exposure of those resources.
Benchmarks
- SOC2 CC6.3.3
- PCI-DSS V3.2 2
- HIPAA 164.312(E)(1)
- NIST-800-53 AC-17, CA-3, CA-9, CM-3, SC-2
- ISO27001 A.13.1.3
- CIS AWS V1.2 4.4
- PCI-DSS V3.2.1 1.3, 2.1
- FEDRAMP (MODERATE) AC-4, SC-7, SC-7(3)
| }) | ||
| } | ||
|
|
||
| resource aws_eks_cluster "eks_cluster" { |
There was a problem hiding this comment.
Ensure AWS EKS cluster endpoint access is publicly disabled
Resource: aws_eks_cluster.eks_cluster | ID: BC_AWS_KUBERNETES_2
Description
Amazon EKS creates an endpoint for any managed Kubernetes API server to communicate with the cluster. This API server endpoint is public to the internet by default. Access to it should be regulated using AWS IAM and native Kubernetes RBAC.We recommended that your Kubernetes API server remains private so that all communication between worker nodes and APIs stays within your VPC. If public access is needed, restrict the IP addresses that can access your API server from the internet to reduce the potential attack surface.
| vpc_id = aws_vpc.eks_vpc.id | ||
| cidr_block = "10.10.11.0/24" | ||
| availability_zone = "${var.region}b" | ||
| map_public_ip_on_launch = true |
There was a problem hiding this comment.
| map_public_ip_on_launch = true |
Ensure VPC subnets do not assign public IP by default
Resource: aws_subnet.eks_subnet2 | ID: BC_AWS_NETWORKING_53
Description
VPC subnet is a part of the VPC having its own rules for traffic. Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.| role = aws_iam_role.iam_for_eks.name | ||
| } | ||
|
|
||
| resource aws_vpc "eks_vpc" { |
There was a problem hiding this comment.
Ensure AWS VPC Flow Logs are enabled
Resource: aws_vpc.eks_vpc | ID: BC_AWS_LOGGING_9
How to Fix
resource "aws_flow_log" "example" {
iam_role_arn = "arn"
log_destination = "log"
traffic_type = "ALL"
+ vpc_id = aws_vpc.ok_vpc.id
}
resource "aws_vpc" "ok_vpc" {
cidr_block = "10.0.0.0/16"
}Description
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you have created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. VPC Flow Logs provide visibility into network traffic that traverses the VPC.We recommend that VPC Flow Logs are enabled for packet Rejects for VPCs to help detect anomalous traffic and insight during security workflows.
Benchmarks
- SOC2 CC6.1.1
- HIPAA 164.312(B) Audit controls
- CIS AWS V1.2 2.9
- PCI-DSS V3.2.1 10.3.3, 10.3.4, 10.3.6
- FEDRAMP (MODERATE) AU-2(a)(d), AU-3, AU-12(a)(c)
- CIS AWS V1.3 3.9
| }) | ||
| } | ||
|
|
||
| resource aws_eks_cluster "eks_cluster" { |
There was a problem hiding this comment.
Ensure AWS EKS cluster security group is not overly permissive to all traffic
Resource: aws_eks_cluster.eks_cluster | ID: BC_AWS_KUBERNETES_1
Description
Amazon EKS creates an endpoint for any managed Kubernetes API server to communicate with the cluster. By default, this API server endpoint is public to the internet. Access to it should be regulated using AWS IAM and native Kubernetes RBAC.We recommend that your Kubernetes API server remains private so that all communication between worker nodes and APIs stays within your VPC. If public access is needed, at a minimum, restrict the IP addresses that can access your API server from the internet to reduce the potential attack surface. Ensure your Amazon EKS public endpoint is not accessible to 0.0.0.0/0.
![prisma-cloud-devsecops[bot]](https://avatars.githubusercontent.com/in/135857?s=60&v=4){kind=small}
| }) | ||
| } | ||
|
|
||
| resource aws_eks_cluster "eks_cluster" { |
There was a problem hiding this comment.
AWS EKS cluster endpoint access is publicly enabled
Resource: aws_eks_cluster.eks_cluster | ID: BC_AWS_KUBERNETES_2
Description
Amazon EKS creates an endpoint for any managed Kubernetes API server to communicate with the cluster. This API server endpoint is public to the internet by default. Access to it should be regulated using AWS IAM and native Kubernetes RBAC.We recommended that your Kubernetes API server remains private so that all communication between worker nodes and APIs stays within your VPC. If public access is needed, restrict the IP addresses that can access your API server from the internet to reduce the potential attack surface.
| role = aws_iam_role.iam_for_eks.name | ||
| } | ||
|
|
||
| resource aws_vpc "eks_vpc" { |
There was a problem hiding this comment.
AWS VPC Flow Logs not enabled
Resource: aws_vpc.eks_vpc | ID: BC_AWS_LOGGING_9
How to Fix
resource "aws_flow_log" "example" {
iam_role_arn = "arn"
log_destination = "log"
traffic_type = "ALL"
+ vpc_id = aws_vpc.ok_vpc.id
}
resource "aws_vpc" "ok_vpc" {
cidr_block = "10.0.0.0/16"
}Description
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you have created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. VPC Flow Logs provide visibility into network traffic that traverses the VPC.We recommend that VPC Flow Logs are enabled for packet Rejects for VPCs to help detect anomalous traffic and insight during security workflows.
Benchmarks
- SOC2 CC6.1.1
- PCI-DSS V3.2.1 10.3.3, 10.3.4, 10.3.6
- HIPAA 164.312(B) Audit controls
- CIS AWS V1.2 2.9
- CIS AWS V1.3 3.9
- FEDRAMP (MODERATE) AU-2(a)(d), AU-3, AU-12(a)(c)
| git_repo = "terragoat" | ||
| yor_trace = "7fa14261-c18d-4fa2-aec4-746f6e64d2d3" | ||
| } | ||
| } |
There was a problem hiding this comment.
| } | |
| encryption_config { | |
| resources = ["secrets"] | |
| } | |
| } |
AWS EKS cluster does not have secrets encryption enabled
Resource: aws_eks_cluster.eks_cluster | ID: BC_AWS_KUBERNETES_3
Description
Secrets in Kubernetes enables managing sensitive information such as passwords and API keys using Kubernetes-native APIs. When creating a secret resource the Kubernetes API server stores it in **etcd** in a base64 encoded form. For example, using kubectl create secret, EKS can encrypt etcd volumes at disk-level using AWS-managed encryption keys.AWS encourages using envelope encryption to encrypt a key with another key. The motivation is security best practice. Applications store sensitive data as part of a defense in depth security strategy. A master key is stored in AWS KMS that is then utilized for data key generation in the Kubernetes API server. It is also used to encrypt/decrypt sensitive data stored in Kubernetes secrets.
Benchmarks
- PCI-DSS V3.2 3
| role = aws_iam_role.iam_for_eks.name | ||
| } | ||
|
|
||
| resource aws_vpc "eks_vpc" { |
There was a problem hiding this comment.
AWS Default Security Group does not restrict all traffic
Resource: aws_vpc.eks_vpc | ID: BC_AWS_NETWORKING_4
How to Fix
resource "aws_default_security_group" "default" {
vpc_id = aws_vpc.ok_vpc.id
}Description
A VPC comes with a default security group that has an initial setting denying all inbound traffic, allowing all outbound traffic, and allowing all traffic between instances assigned to the security group. If you do not specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources.We recommend that your default security group restricts all inbound and outbound traffic. The default VPC in every region should have its default security group updated to comply with this recommendation. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.
Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups. This in-turn reduces the exposure of those resources.
Benchmarks
- SOC2 CC6.3.3
- PCI-DSS V3.2.1 1.3, 2.1
- PCI-DSS V3.2 2
- HIPAA 164.312(E)(1)
- NIST-800-53 AC-17, CA-3, CA-9, CM-3, SC-2
- ISO27001 A.13.1.3
- CIS AWS V1.2 4.4
- FEDRAMP (MODERATE) AC-4, SC-7, SC-7(3)
| vpc_id = aws_vpc.eks_vpc.id | ||
| cidr_block = "10.10.11.0/24" | ||
| availability_zone = "${var.region}b" | ||
| map_public_ip_on_launch = true |
There was a problem hiding this comment.
| map_public_ip_on_launch = true |
VPC subnets should not allow automatic public IP assignment
Resource: aws_subnet.eks_subnet2 | ID: BC_AWS_NETWORKING_53
Description
VPC subnet is a part of the VPC having its own rules for traffic. Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.| vpc_id = aws_vpc.eks_vpc.id | ||
| cidr_block = "10.10.10.0/24" | ||
| availability_zone = "${var.region}a" | ||
| map_public_ip_on_launch = true |
There was a problem hiding this comment.
| map_public_ip_on_launch = true |
VPC subnets should not allow automatic public IP assignment
Resource: aws_subnet.eks_subnet1 | ID: BC_AWS_NETWORKING_53
Description
VPC subnet is a part of the VPC having its own rules for traffic. Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.| }) | ||
| } | ||
|
|
||
| resource aws_eks_cluster "eks_cluster" { |
There was a problem hiding this comment.
AWS EKS cluster security group overly permissive to all traffic
Resource: aws_eks_cluster.eks_cluster | ID: BC_AWS_KUBERNETES_1
Description
Amazon EKS creates an endpoint for any managed Kubernetes API server to communicate with the cluster. By default, this API server endpoint is public to the internet. Access to it should be regulated using AWS IAM and native Kubernetes RBAC.We recommend that your Kubernetes API server remains private so that all communication between worker nodes and APIs stays within your VPC. If public access is needed, at a minimum, restrict the IP addresses that can access your API server from the internet to reduce the potential attack surface. Ensure your Amazon EKS public endpoint is not accessible to 0.0.0.0/0.
| }) | ||
| } | ||
|
|
||
| resource aws_eks_cluster "eks_cluster" { |
There was a problem hiding this comment.
AWS EKS control plane logging is disabled
Resource: aws_eks_cluster.eks_cluster | ID: BC_AWS_KUBERNETES_4
Description
Amazon EKS control plane logging provides valuable diagnostic logs for all control plane related actions. Logging streams include cover for the following modules:- Kubernetes API server component logs (api)‚ see kube-apiserver in the Kubernetes documentation.
- Audit (audit). Kubernetes audit logs provide a record of the individual users, administrators, or system components that have affected your cluster. For more information, see Auditing in the Kubernetes documentation.
- Authenticator (authenticator). For more information, see authorization in the Kubernetes documentation.
- Controller manager (controllerManager). For more information, see kube-controller-manager in the Kubernetes documentation.
- Scheduler (scheduler). For more information, see kube-scheduler in the Kubernetes documentation.
Amazon EKS control plane logging is used to detect anomalous configuration activity by your customer. It is used to track configuration changes conducted manually and programmatically, and trace back unapproved changes.
Benchmarks
- HIPAA 164.312(B) Audit controls
No description provided.