Skip to content

Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0

Description

It is generally a good security practice to ensure that your AWS EKS node group does not have implicit SSH access from 0.0.0.0/0, as this means that it is not accessible over the internet via SSH. This can help to protect your EKS node group from unauthorized access, as external parties will not be able to connect to it over the internet.

Fix - Buildtime

Terraform

  • Resource: aws_eks_node_group
  • Argument: remote_access/source_security_group_ids
    Makes sure there is no remote access block or the addition of source_security_group_ids

```go aws_eks_node_group.test.tf resource "aws_eks_node_group" "test" { ... cluster_name = aws_eks_cluster.example.name remote_access { ec2_ssh_key = "some-key" + source_security_group_ids = "some-group" } }


## CloudFormation

- **Resource**: AWS::EKS::Nodegroup
- **Argument**: Properties.RemoteAccess

```yaml
Resources:
  Nodegroup1:
    Type: 'AWS::EKS::Nodegroup'
    Properties:
      ...
      RemoteAccess: 
        Ec2SshKey: <ssh key>
+       SourceSecurityGroups: 
+         - ...

  Nodegroup2:
    Type: 'AWS::EKS::Nodegroup'
    Properties:
      ...
-     RemoteAccess:
-               ...