Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckEnableControlPlaneLogging = rules.Register( rules.Rule{ AVDID: "AVD-AWS-0038", Provider: provider.AWSProvider, Service: "eks", ShortCode: "enable-control-plane-logging", Summary: "EKS Clusters should have cluster control plane logging turned on", Impact: "Logging provides valuable information about access and usage", Resolution: "Enable logging for the EKS control plane", Explanation: `By default cluster control plane logging is not turned on. Logging is available for audit, api, authenticator, controllerManager and scheduler. All logging should be turned on for cluster control plane.`, Links: []string{ "https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html", }, Terraform: &rules.EngineMetadata{ GoodExamples: terraformEnableControlPlaneLoggingGoodExamples, BadExamples: terraformEnableControlPlaneLoggingBadExamples, Links: terraformEnableControlPlaneLoggingLinks, RemediationMarkdown: terraformEnableControlPlaneLoggingRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results rules.Results) { for _, cluster := range s.AWS.EKS.Clusters { if cluster.Logging.API.IsFalse() { results.Add( "Control plane API logging is not enabled.", cluster.Logging.API, ) } else { results.AddPassed(&cluster, "Cluster plane API logging enabled") } if cluster.Logging.Audit.IsFalse() { results.Add( "Control plane audit logging is not enabled.", cluster.Logging.Audit, ) } else { results.AddPassed(&cluster, "Cluster plane audit logging enabled") } if cluster.Logging.Authenticator.IsFalse() { results.Add( "Control plane authenticator logging is not enabled.", cluster.Logging.Authenticator, ) } else { results.AddPassed(&cluster, "Cluster plane authenticator logging enabled") } if cluster.Logging.ControllerManager.IsFalse() { results.Add( "Control plane controller manager logging is not enabled.", cluster.Logging.ControllerManager, ) } else { results.AddPassed(&cluster, "Cluster plane manager logging enabled") } if cluster.Logging.Scheduler.IsFalse() { results.Add( "Control plane scheduler logging is not enabled.", cluster.Logging.Scheduler, ) } else { results.AddPassed(&cluster, "Cluster plane scheduler logging enabled") } } return }, )
View Source
var CheckEncryptSecrets = rules.Register( rules.Rule{ AVDID: "AVD-AWS-0039", Provider: provider.AWSProvider, Service: "eks", ShortCode: "encrypt-secrets", Summary: "EKS should have the encryption of secrets enabled", Impact: "EKS secrets could be read if compromised", Resolution: "Enable encryption of EKS secrets", Explanation: `EKS cluster resources should have the encryption_config block set with protection of the secrets resource.`, Links: []string{ "https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/", }, Terraform: &rules.EngineMetadata{ GoodExamples: terraformEncryptSecretsGoodExamples, BadExamples: terraformEncryptSecretsBadExamples, Links: terraformEncryptSecretsLinks, RemediationMarkdown: terraformEncryptSecretsRemediationMarkdown, }, CloudFormation: &rules.EngineMetadata{ GoodExamples: cloudFormationEncryptSecretsGoodExamples, BadExamples: cloudFormationEncryptSecretsBadExamples, Links: cloudFormationEncryptSecretsLinks, RemediationMarkdown: cloudFormationEncryptSecretsRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results rules.Results) { for _, cluster := range s.AWS.EKS.Clusters { if cluster.Encryption.Secrets.IsFalse() { results.Add( "Cluster does not have secret encryption enabled.", cluster.Encryption.Secrets, ) } else if cluster.Encryption.KMSKeyID.IsEmpty() { results.Add( "Cluster encryption requires a KMS key ID, which is missing", cluster.Encryption.KMSKeyID, ) } else { results.AddPassed(&cluster) } } return }, )
View Source
var CheckNoPublicClusterAccess = rules.Register( rules.Rule{ AVDID: "AVD-AWS-0040", Provider: provider.AWSProvider, Service: "eks", ShortCode: "no-public-cluster-access", Summary: "EKS Clusters should have the public access disabled", Impact: "EKS can be access from the internet", Resolution: "Don't enable public access to EKS Clusters", Explanation: `EKS clusters are available publicly by default, this should be explicitly disabled in the vpc_config of the EKS cluster resource.`, Links: []string{ "https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html", }, Terraform: &rules.EngineMetadata{ GoodExamples: terraformNoPublicClusterAccessGoodExamples, BadExamples: terraformNoPublicClusterAccessBadExamples, Links: terraformNoPublicClusterAccessLinks, RemediationMarkdown: terraformNoPublicClusterAccessRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results rules.Results) { for _, cluster := range s.AWS.EKS.Clusters { if cluster.PublicAccessEnabled.IsTrue() { results.Add( "Public cluster access is enabled.", cluster.PublicAccessEnabled, ) } else { results.AddPassed(&cluster) } } return }, )
View Source
var CheckNoPublicClusterAccessToCidr = rules.Register( rules.Rule{ AVDID: "AVD-AWS-0041", Provider: provider.AWSProvider, Service: "eks", ShortCode: "no-public-cluster-access-to-cidr", Summary: "EKS cluster should not have open CIDR range for public access", Impact: "EKS can be accessed from the internet", Resolution: "Don't enable public access to EKS Clusters", Explanation: `EKS Clusters have public access cidrs set to 0.0.0.0/0 by default which is wide open to the internet. This should be explicitly set to a more specific private CIDR range`, Links: []string{ "https://docs.aws.amazon.com/eks/latest/userguide/create-public-private-vpc.html", }, Terraform: &rules.EngineMetadata{ GoodExamples: terraformNoPublicClusterAccessToCidrGoodExamples, BadExamples: terraformNoPublicClusterAccessToCidrBadExamples, Links: terraformNoPublicClusterAccessToCidrLinks, RemediationMarkdown: terraformNoPublicClusterAccessToCidrRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results rules.Results) { for _, cluster := range s.AWS.EKS.Clusters { if cluster.PublicAccessEnabled.IsFalse() { continue } for _, accessCidr := range cluster.PublicAccessCIDRs { if cidr.IsPublic(accessCidr.Value()) { results.Add( fmt.Sprintf("Cluster allows access from a public CIDR: %s.", accessCidr.Value()), accessCidr, ) } else { results.AddPassed(&cluster) } } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files ¶
Click to show internal directories.
Click to hide internal directories.