Control: EKS cluster node group should be configured to restrict SSH access from 0.0.0.0/0
Description
EKS cluster node group SSH access should be restricted from internet. If you specify ec2_ssh_key, but do not specify source_security_group_ids configuration when you create an EKS Node Group, port 22 on the worker nodes is opened to the Internet (0.0.0.0/0).
Usage
Run the control in your terminal:
powerpipe control run terraform_aws_compliance.control.eks_cluster_node_group_ssh_access_from_internetSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_aws_compliance.control.eks_cluster_node_group_ssh_access_from_internet --shareSQL
This control uses a named query:
select address as resource, case when (attributes_std -> 'remote_access') is null then 'ok' when (attributes_std -> 'remote_access' ->> 'ec2_ssh_key') is not null and (attributes_std -> 'remote_access' ->> 'source_security_group_ids') is not null then 'ok' when (attributes_std -> 'remote_access' ->> 'ec2_ssh_key') is not null and (attributes_std -> 'remote_access' ->> 'source_security_group_ids') is null then 'alarm' else 'alarm' end status, split_part(address, '.', 2) || case when (attributes_std -> 'remote_access') is null then ' node group does not have implicit SSH access from 0.0.0.0/0' when (attributes_std -> 'remote_access' ->> 'ec2_ssh_key') is not null and (attributes_std -> 'remote_access' ->> 'source_security_group_ids') is not null then ' SSH access restricted to security group(s)' when (attributes_std -> 'remote_access' ->> 'ec2_ssh_key') is not null and (attributes_std -> 'remote_access' ->> 'source_security_group_ids') is null then ' has implicit SSH access from 0.0.0.0/0' else ' has implicit SSH access from 0.0.0.0/0' end || '.' reason , path || ':' || start_linefrom terraform_resourcewhere type = 'aws_eks_node_group';