EKS cluster should not have open CIDR range for public access
Default Severity: critical
Explanation
EKS Clusters have public access cidrs set to 0.0.0.0/0 by default which is wide open to the internet. This should be explicitly set to a more specific private CIDR range
Possible Impact
EKS can be accessed from the internet
Suggested Resolution
Don't enable public access to EKS Clusters
Insecure Example
The following example will fail the aws-eks-no-public-cluster-access-to-cidr check.
resource "aws_eks_cluster" "bad_example" {
// other config
name = "bad_example_cluster"
role_arn = var.cluster_arn
vpc_config {
endpoint_public_access = true
}
}
Secure Example
The following example will pass the aws-eks-no-public-cluster-access-to-cidr check.
resource "aws_eks_cluster" "good_example" {
// other config
name = "good_example_cluster"
role_arn = var.cluster_arn
vpc_config {
endpoint_public_access = true
public_access_cidrs = ["10.2.0.0/8"]
}
}