github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/eks/no_public_cluster_access_to_cidr.go (about) 1 package eks 2 3 import ( 4 "fmt" 5 6 "github.com/khulnasoft-lab/defsec/pkg/severity" 7 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 10 "github.com/khulnasoft-lab/defsec/pkg/scan" 11 12 "github.com/khulnasoft-lab/defsec/internal/rules" 13 14 "github.com/khulnasoft-lab/defsec/internal/cidr" 15 16 "github.com/khulnasoft-lab/defsec/pkg/providers" 17 ) 18 19 var CheckNoPublicClusterAccessToCidr = rules.Register( 20 scan.Rule{ 21 AVDID: "AVD-AWS-0041", 22 Provider: providers.AWSProvider, 23 Service: "eks", 24 ShortCode: "no-public-cluster-access-to-cidr", 25 Summary: "EKS cluster should not have open CIDR range for public access", 26 Impact: "EKS can be accessed from the internet", 27 Resolution: "Don't enable public access to EKS Clusters", 28 Explanation: `EKS Clusters have public access cidrs set to 0.0.0.0/0 by default which is wide open to the internet. This should be explicitly set to a more specific private CIDR range`, 29 Links: []string{ 30 "https://docs.aws.amazon.com/eks/latest/userguide/create-public-private-vpc.html", 31 }, 32 Terraform: &scan.EngineMetadata{ 33 GoodExamples: terraformNoPublicClusterAccessToCidrGoodExamples, 34 BadExamples: terraformNoPublicClusterAccessToCidrBadExamples, 35 Links: terraformNoPublicClusterAccessToCidrLinks, 36 RemediationMarkdown: terraformNoPublicClusterAccessToCidrRemediationMarkdown, 37 }, 38 Severity: severity.Critical, 39 }, 40 func(s *state.State) (results scan.Results) { 41 for _, cluster := range s.AWS.EKS.Clusters { 42 if cluster.PublicAccessEnabled.IsFalse() { 43 continue 44 } 45 for _, accessCidr := range cluster.PublicAccessCIDRs { 46 if cidr.IsPublic(accessCidr.Value()) { 47 results.Add( 48 fmt.Sprintf("Cluster allows access from a public CIDR: %s.", accessCidr.Value()), 49 accessCidr, 50 ) 51 } else { 52 results.AddPassed(&cluster) 53 } 54 } 55 } 56 return 57 }, 58 )