Control: EKS clusters endpoint public access should be restricted
Description
EKS clusters endpoint with private access allows communication between your nodes and the API server stays within. This control is non-compliant if clusters endpoint public access is enabled as cluster API server is accessible from the internet.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.eks_cluster_endpoint_public_access_restrictedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.eks_cluster_endpoint_public_access_restricted --shareSQL
This control uses a named query:
select arn as resource, case when resources_vpc_config ->> 'EndpointPrivateAccess' = 'true' and resources_vpc_config ->> 'EndpointPublicAccess' = 'false' then 'ok' when resources_vpc_config ->> 'EndpointPublicAccess' = 'true' and resources_vpc_config -> 'PublicAccessCidrs' @> '["0.0.0.0/0"]' then 'alarm' else 'ok' end as status, case when resources_vpc_config ->> 'EndpointPrivateAccess' = 'true' and resources_vpc_config ->> 'EndpointPublicAccess' = 'false' then title || ' endpoint access is private.' when resources_vpc_config ->> 'EndpointPublicAccess' = 'true' and resources_vpc_config -> 'PublicAccessCidrs' @> '["0.0.0.0/0"]' then title || ' endpoint access is public.' else title || ' endpoint public access is restricted.' end as reason , region, account_idfrom aws_eks_cluster;