AWS069 - EKS Clusters should have the public access disabled

Written by tfsec

Explanation

EKS clusters are available publicly by default, this should be explicitly disabled in the vpc_config of the EKS cluster resource.

Insecure Example

The following example will fail the AWS069 check.

resource "aws_eks_cluster" "bad_example" {
    // other config 

    name = "bad_example_cluster"
    role_arn = var.cluster_arn
    vpc_config {
        endpoint_public_access = true
    }
}

Secure Example

The following example will pass the AWS069 check.

resource "aws_eks_cluster" "good_example" {
    // other config 

    name = "good_example_cluster"
    role_arn = var.cluster_arn
    vpc_config {
        endpoint_public_access = false
        public_access_cidrs = ["10.2.0.0/8"]
    }
}

Related Links

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#endpoint_public_access

• https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html

---