Skip to content

Create eks.tf #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
caswalker wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Create eks.tf #5

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
148 changes: 148 additions & 0 deletions eks.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,148 @@
locals {
eks_name = {
value = "${local.resource_prefix.value}-eks"
}
}

data aws_iam_policy_document "iam_policy_eks" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["eks.amazonaws.com"]
}
}
}

resource aws_iam_role "iam_for_eks" {
name = "${local.resource_prefix.value}-iam-for-eks"
assume_role_policy = data.aws_iam_policy_document.iam_policy_eks.json
tags = {
git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
git_file = "terraform/aws/eks.tf"
git_last_modified_at = "2020-06-16 14:46:24"
git_last_modified_by = "nimrodkor@gmail.com"
git_modifiers = "nimrodkor"
git_org = "bridgecrewio"
git_repo = "terragoat"
yor_trace = "de052596-21a0-43de-8153-469add277b18"
}
}

resource aws_iam_role_policy_attachment "policy_attachment-AmazonEKSClusterPolicy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
role = aws_iam_role.iam_for_eks.name
}

resource aws_iam_role_policy_attachment "policy_attachment-AmazonEKSServicePolicy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
role = aws_iam_role.iam_for_eks.name
}

resource aws_vpc "eks_vpc" {
Copy link

@bridgecrew bridgecrew bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   Ensure AWS Default Security Group restricts all traffic
    Resource: aws_vpc.eks_vpc | ID: BC_AWS_NETWORKING_4

How to Fix

resource "aws_default_security_group" "default" {
  vpc_id = aws_vpc.ok_vpc.id
}

Description

A VPC comes with a default security group that has an initial setting denying all inbound traffic, allowing all outbound traffic, and allowing all traffic between instances assigned to the security group. If you do not specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources.

We recommend that your default security group restricts all inbound and outbound traffic. The default VPC in every region should have its default security group updated to comply with this recommendation. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.

Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups. This in-turn reduces the exposure of those resources.

Benchmarks

  • SOC2 CC6.3.3
  • PCI-DSS V3.2 2
  • HIPAA 164.312(E)(1)
  • NIST-800-53 AC-17, CA-3, CA-9, CM-3, SC-2
  • ISO27001 A.13.1.3
  • CIS AWS V1.2 4.4
  • PCI-DSS V3.2.1 1.3, 2.1
  • FEDRAMP (MODERATE) AC-4, SC-7, SC-7(3)

Copy link

@bridgecrew bridgecrew bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   Ensure AWS VPC Flow Logs are enabled
    Resource: aws_vpc.eks_vpc | ID: BC_AWS_LOGGING_9

How to Fix

resource "aws_flow_log" "example" {
  iam_role_arn    = "arn"
  log_destination = "log"
  traffic_type    = "ALL"
+ vpc_id          = aws_vpc.ok_vpc.id
}

resource "aws_vpc" "ok_vpc" {
  cidr_block = "10.0.0.0/16"
}

Description

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you have created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. VPC Flow Logs provide visibility into network traffic that traverses the VPC.

We recommend that VPC Flow Logs are enabled for packet Rejects for VPCs to help detect anomalous traffic and insight during security workflows.

Benchmarks

  • SOC2 CC6.1.1
  • HIPAA 164.312(B) Audit controls
  • CIS AWS V1.2 2.9
  • PCI-DSS V3.2.1 10.3.3, 10.3.4, 10.3.6
  • FEDRAMP (MODERATE) AU-2(a)(d), AU-3, AU-12(a)(c)
  • CIS AWS V1.3 3.9

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   AWS VPC Flow Logs not enabled
    Resource: aws_vpc.eks_vpc | ID: BC_AWS_LOGGING_9

How to Fix

resource "aws_flow_log" "example" {
  iam_role_arn    = "arn"
  log_destination = "log"
  traffic_type    = "ALL"
+ vpc_id          = aws_vpc.ok_vpc.id
}

resource "aws_vpc" "ok_vpc" {
  cidr_block = "10.0.0.0/16"
}

Description

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you have created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. VPC Flow Logs provide visibility into network traffic that traverses the VPC.

We recommend that VPC Flow Logs are enabled for packet Rejects for VPCs to help detect anomalous traffic and insight during security workflows.

Benchmarks

  • SOC2 CC6.1.1
  • PCI-DSS V3.2.1 10.3.3, 10.3.4, 10.3.6
  • HIPAA 164.312(B) Audit controls
  • CIS AWS V1.2 2.9
  • CIS AWS V1.3 3.9
  • FEDRAMP (MODERATE) AU-2(a)(d), AU-3, AU-12(a)(c)

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   AWS Default Security Group does not restrict all traffic
    Resource: aws_vpc.eks_vpc | ID: BC_AWS_NETWORKING_4

How to Fix

resource "aws_default_security_group" "default" {
  vpc_id = aws_vpc.ok_vpc.id
}

Description

A VPC comes with a default security group that has an initial setting denying all inbound traffic, allowing all outbound traffic, and allowing all traffic between instances assigned to the security group. If you do not specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources.

We recommend that your default security group restricts all inbound and outbound traffic. The default VPC in every region should have its default security group updated to comply with this recommendation. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.

Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups. This in-turn reduces the exposure of those resources.

Benchmarks

  • SOC2 CC6.3.3
  • PCI-DSS V3.2.1 1.3, 2.1
  • PCI-DSS V3.2 2
  • HIPAA 164.312(E)(1)
  • NIST-800-53 AC-17, CA-3, CA-9, CM-3, SC-2
  • ISO27001 A.13.1.3
  • CIS AWS V1.2 4.4
  • FEDRAMP (MODERATE) AC-4, SC-7, SC-7(3)

cidr_block = "10.10.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
tags = merge({
Name = "${local.resource_prefix.value}-eks-vpc"
}, {
git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
git_file = "terraform/aws/eks.tf"
git_last_modified_at = "2020-06-16 14:46:24"
git_last_modified_by = "nimrodkor@gmail.com"
git_modifiers = "nimrodkor"
git_org = "bridgecrewio"
git_repo = "terragoat"
yor_trace = "1600ca6c-72f6-45c0-a71d-88e117e51d6b"
})
}

resource aws_subnet "eks_subnet1" {
vpc_id = aws_vpc.eks_vpc.id
cidr_block = "10.10.10.0/24"
availability_zone = "${var.region}a"
map_public_ip_on_launch = true
Copy link

@bridgecrew bridgecrew bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
map_public_ip_on_launch = true
MEDIUM   Ensure VPC subnets do not assign public IP by default
    Resource: aws_subnet.eks_subnet1 | ID: BC_AWS_NETWORKING_53

Description

VPC subnet is a part of the VPC having its own rules for traffic. Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
map_public_ip_on_launch = true
MEDIUM   VPC subnets should not allow automatic public IP assignment
    Resource: aws_subnet.eks_subnet1 | ID: BC_AWS_NETWORKING_53

Description

VPC subnet is a part of the VPC having its own rules for traffic. Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.

tags = merge({
Name = "${local.resource_prefix.value}-eks-subnet"
"kubernetes.io/cluster/${local.eks_name.value}" = "shared"
}, {
git_commit = "6e62522d2ab8f63740e53752b84a6e99cd65696a"
git_file = "terraform/aws/eks.tf"
git_last_modified_at = "2021-05-02 11:16:31"
git_last_modified_by = "nimrodkor@gmail.com"
git_modifiers = "nimrodkor"
git_org = "bridgecrewio"
git_repo = "terragoat"
"kubernetes.io/cluster/$${local.eks_name.value}" = "shared"
yor_trace = "1fb4fa23-a5d6-4d6a-b7dc-88749383f48d"
}, {
"kubernetes.io/cluster/$$${local.eks_name.value}" = "shared"
"kubernetes.io/cluster/$${local.eks_name.value}" = "shared"
}, {
"kubernetes.io/cluster/$$$${local.eks_name.value}" = "shared"
"kubernetes.io/cluster/$$${local.eks_name.value}" = "shared"
"kubernetes.io/cluster/$${local.eks_name.value}" = "shared"
})
}

resource aws_subnet "eks_subnet2" {
vpc_id = aws_vpc.eks_vpc.id
cidr_block = "10.10.11.0/24"
availability_zone = "${var.region}b"
map_public_ip_on_launch = true
Copy link

@bridgecrew bridgecrew bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
map_public_ip_on_launch = true
MEDIUM   Ensure VPC subnets do not assign public IP by default
    Resource: aws_subnet.eks_subnet2 | ID: BC_AWS_NETWORKING_53

Description

VPC subnet is a part of the VPC having its own rules for traffic. Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
map_public_ip_on_launch = true
MEDIUM   VPC subnets should not allow automatic public IP assignment
    Resource: aws_subnet.eks_subnet2 | ID: BC_AWS_NETWORKING_53

Description

VPC subnet is a part of the VPC having its own rules for traffic. Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.

tags = merge({
Name = "${local.resource_prefix.value}-eks-subnet2"
"kubernetes.io/cluster/${local.eks_name.value}" = "shared"
}, {
git_commit = "6e62522d2ab8f63740e53752b84a6e99cd65696a"
git_file = "terraform/aws/eks.tf"
git_last_modified_at = "2021-05-02 11:16:31"
git_last_modified_by = "nimrodkor@gmail.com"
git_modifiers = "nimrodkor"
git_org = "bridgecrewio"
git_repo = "terragoat"
"kubernetes.io/cluster/$${local.eks_name.value}" = "shared"
yor_trace = "9ce04af2-5321-4e6c-a262-e4d7c1f69525"
}, {
"kubernetes.io/cluster/$$${local.eks_name.value}" = "shared"
"kubernetes.io/cluster/$${local.eks_name.value}" = "shared"
}, {
"kubernetes.io/cluster/$$$${local.eks_name.value}" = "shared"
"kubernetes.io/cluster/$$${local.eks_name.value}" = "shared"
"kubernetes.io/cluster/$${local.eks_name.value}" = "shared"
})
}

resource aws_eks_cluster "eks_cluster" {
Copy link

@bridgecrew bridgecrew bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM   Ensure AWS EKS control plane logging is enabled
    Resource: aws_eks_cluster.eks_cluster | ID: BC_AWS_KUBERNETES_4

Description

Amazon EKS control plane logging provides valuable diagnostic logs for all control plane related actions. Logging streams include cover for the following modules:
  1. Kubernetes API server component logs (api)‚ see kube-apiserver in the Kubernetes documentation.
  2. Audit (audit). Kubernetes audit logs provide a record of the individual users, administrators, or system components that have affected your cluster. For more information, see Auditing in the Kubernetes documentation.
  3. Authenticator (authenticator). For more information, see authorization in the Kubernetes documentation.
  4. Controller manager (controllerManager). For more information, see kube-controller-manager in the Kubernetes documentation.
  5. Scheduler (scheduler). For more information, see kube-scheduler in the Kubernetes documentation.

Amazon EKS control plane logging is used to detect anomalous configuration activity by your customer. It is used to track configuration changes conducted manually and programmatically, and trace back unapproved changes.

Benchmarks

  • HIPAA 164.312(B) Audit controls

Copy link

@bridgecrew bridgecrew bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   Ensure AWS EKS cluster endpoint access is publicly disabled
    Resource: aws_eks_cluster.eks_cluster | ID: BC_AWS_KUBERNETES_2

Description

Amazon EKS creates an endpoint for any managed Kubernetes API server to communicate with the cluster. This API server endpoint is public to the internet by default. Access to it should be regulated using AWS IAM and native Kubernetes RBAC.

We recommended that your Kubernetes API server remains private so that all communication between worker nodes and APIs stays within your VPC. If public access is needed, restrict the IP addresses that can access your API server from the internet to reduce the potential attack surface.

Copy link

@bridgecrew bridgecrew bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   Ensure AWS EKS cluster security group is not overly permissive to all traffic
    Resource: aws_eks_cluster.eks_cluster | ID: BC_AWS_KUBERNETES_1

Description

Amazon EKS creates an endpoint for any managed Kubernetes API server to communicate with the cluster. By default, this API server endpoint is public to the internet. Access to it should be regulated using AWS IAM and native Kubernetes RBAC.

We recommend that your Kubernetes API server remains private so that all communication between worker nodes and APIs stays within your VPC. If public access is needed, at a minimum, restrict the IP addresses that can access your API server from the internet to reduce the potential attack surface. Ensure your Amazon EKS public endpoint is not accessible to 0.0.0.0/0.

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   AWS EKS cluster endpoint access is publicly enabled
    Resource: aws_eks_cluster.eks_cluster | ID: BC_AWS_KUBERNETES_2

Description

Amazon EKS creates an endpoint for any managed Kubernetes API server to communicate with the cluster. This API server endpoint is public to the internet by default. Access to it should be regulated using AWS IAM and native Kubernetes RBAC.

We recommended that your Kubernetes API server remains private so that all communication between worker nodes and APIs stays within your VPC. If public access is needed, restrict the IP addresses that can access your API server from the internet to reduce the potential attack surface.

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   AWS EKS cluster security group overly permissive to all traffic
    Resource: aws_eks_cluster.eks_cluster | ID: BC_AWS_KUBERNETES_1

Description

Amazon EKS creates an endpoint for any managed Kubernetes API server to communicate with the cluster. By default, this API server endpoint is public to the internet. Access to it should be regulated using AWS IAM and native Kubernetes RBAC.

We recommend that your Kubernetes API server remains private so that all communication between worker nodes and APIs stays within your VPC. If public access is needed, at a minimum, restrict the IP addresses that can access your API server from the internet to reduce the potential attack surface. Ensure your Amazon EKS public endpoint is not accessible to 0.0.0.0/0.

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM   AWS EKS control plane logging is disabled
    Resource: aws_eks_cluster.eks_cluster | ID: BC_AWS_KUBERNETES_4

Description

Amazon EKS control plane logging provides valuable diagnostic logs for all control plane related actions. Logging streams include cover for the following modules:
  1. Kubernetes API server component logs (api)‚ see kube-apiserver in the Kubernetes documentation.
  2. Audit (audit). Kubernetes audit logs provide a record of the individual users, administrators, or system components that have affected your cluster. For more information, see Auditing in the Kubernetes documentation.
  3. Authenticator (authenticator). For more information, see authorization in the Kubernetes documentation.
  4. Controller manager (controllerManager). For more information, see kube-controller-manager in the Kubernetes documentation.
  5. Scheduler (scheduler). For more information, see kube-scheduler in the Kubernetes documentation.

Amazon EKS control plane logging is used to detect anomalous configuration activity by your customer. It is used to track configuration changes conducted manually and programmatically, and trace back unapproved changes.

Benchmarks

  • HIPAA 164.312(B) Audit controls

name = local.eks_name.value
role_arn = "${aws_iam_role.iam_for_eks.arn}"

vpc_config {
endpoint_private_access = true
subnet_ids = ["${aws_subnet.eks_subnet1.id}", "${aws_subnet.eks_subnet2.id}"]
}

depends_on = [
"aws_iam_role_policy_attachment.policy_attachment-AmazonEKSClusterPolicy",
"aws_iam_role_policy_attachment.policy_attachment-AmazonEKSServicePolicy",
]
tags = {
git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
git_file = "terraform/aws/eks.tf"
git_last_modified_at = "2020-06-16 14:46:24"
git_last_modified_by = "nimrodkor@gmail.com"
git_modifiers = "nimrodkor"
git_org = "bridgecrewio"
git_repo = "terragoat"
yor_trace = "7fa14261-c18d-4fa2-aec4-746f6e64d2d3"
}
}
Copy link

@bridgecrew bridgecrew bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
}
encryption_config {
resources = ["secrets"]
}
}
LOW   Ensure AWS EKS cluster has secrets encryption enabled
    Resource: aws_eks_cluster.eks_cluster | ID: BC_AWS_KUBERNETES_3

Description

Secrets in Kubernetes enables managing sensitive information such as passwords and API keys using Kubernetes-native APIs. When creating a secret resource the Kubernetes API server stores it in **etcd** in a base64 encoded form. For example, using kubectl create secret, EKS can encrypt etcd volumes at disk-level using AWS-managed encryption keys.

AWS encourages using envelope encryption to encrypt a key with another key. The motivation is security best practice. Applications store sensitive data as part of a defense in depth security strategy. A master key is stored in AWS KMS that is then utilized for data key generation in the Kubernetes API server. It is also used to encrypt/decrypt sensitive data stored in Kubernetes secrets.

Benchmarks

  • PCI-DSS V3.2 3

Copy link

@prisma-cloud-devsecops prisma-cloud-devsecops bot Feb 14, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
}
encryption_config {
resources = ["secrets"]
}
}
LOW   AWS EKS cluster does not have secrets encryption enabled
    Resource: aws_eks_cluster.eks_cluster | ID: BC_AWS_KUBERNETES_3

Description

Secrets in Kubernetes enables managing sensitive information such as passwords and API keys using Kubernetes-native APIs. When creating a secret resource the Kubernetes API server stores it in **etcd** in a base64 encoded form. For example, using kubectl create secret, EKS can encrypt etcd volumes at disk-level using AWS-managed encryption keys.

AWS encourages using envelope encryption to encrypt a key with another key. The motivation is security best practice. Applications store sensitive data as part of a defense in depth security strategy. A master key is stored in AWS KMS that is then utilized for data key generation in the Kubernetes API server. It is also used to encrypt/decrypt sensitive data stored in Kubernetes secrets.

Benchmarks

  • PCI-DSS V3.2 3


output "endpoint" {
value = "${aws_eks_cluster.eks_cluster.endpoint}"
}

output "kubeconfig-certificate-authority-data" {
value = "${aws_eks_cluster.eks_cluster.certificate_authority.0.data}"
}