Restrict overly permissive access by AWS EKS to all traffic High

Overly permissive access is granted by the AWS EKS cluster security group to all traffic. Make sure that AWS EKS cluster security group is configured to prevent Overly permissive to all traffic.

Detector ID
terraform/restrict-eks-traffic-access-terraform@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1resource "aws_eks_cluster" "test" {
2  name = "test"
3  role_arn = aws_iam_role.eksrole.arn
4  vpc_config {
5    subnet_ids = [aws_subnet.subnet1.id]
6    # Noncompliant: `endpoint_public_access` is set to True.
7    endpoint_public_access = True
8  }
9}

Compliant example

1resource "aws_eks_cluster" "test" {
2  name = "test"
3  role_arn = aws_iam_role.eksrole.arn
4  vpc_config {
5    subnet_ids = [aws_subnet.subnet1.id]
6    # Compliant: `endpoint_public_access` is set to False.
7    endpoint_public_access = False
8  }
9  encryption_config {
10    resources = ["secrets"]
11  }
12  enabled_cluster_log_types = [
13    "api",
14    "audit",
15    "authenticator",
16    "controllerManager",
17    "scheduler"
18  ]
19}