pull-03 #3
pull-03 #3
Conversation
|
pull 03-1 |
![prisma-cloud-devsecops[bot]](https://avatars.githubusercontent.com/in/135857?s=60&v=4){kind=small}
terraform/aws/eks.tf
Outdated
| @@ -114,6 +113,7 @@ resource aws_subnet "eks_subnet2" { | |||
| }) | |||
| } | |||
|
|
|||
|
|
|||
| resource aws_eks_cluster "eks_cluster" { | |||
There was a problem hiding this comment.
| resource aws_eks_cluster "eks_cluster" { | |
| resource aws_eks_cluster "eks_cluster" { | |
| encryption_config { | |
| resources = ["secrets"] | |
| } |
AWS EKS cluster does not have secrets encryption enabled
Resource: aws_eks_cluster.eks_cluster | ID: BC_AWS_KUBERNETES_3
Description
Secrets in Kubernetes enables managing sensitive information such as passwords and API keys using Kubernetes-native APIs. When creating a secret resource the Kubernetes API server stores it in **etcd** in a base64 encoded form. For example, using kubectl create secret, EKS can encrypt etcd volumes at disk-level using AWS-managed encryption keys.AWS encourages using envelope encryption to encrypt a key with another key. The motivation is security best practice. Applications store sensitive data as part of a defense in depth security strategy. A master key is stored in AWS KMS that is then utilized for data key generation in the Kubernetes API server. It is also used to encrypt/decrypt sensitive data stored in Kubernetes secrets.
Benchmarks
- PCI-DSS V3.2 3
🎉 Fixed by commit 67a9cc7 - Prisma Cloud bot fix for terraform/aws/eks.tf
terraform/aws/eks.tf
Outdated
| @@ -114,6 +113,7 @@ resource aws_subnet "eks_subnet2" { | |||
| }) | |||
| } | |||
|
|
|||
|
|
|||
| resource aws_eks_cluster "eks_cluster" { | |||
There was a problem hiding this comment.
AWS EKS cluster endpoint access publicly enabled
Resource: aws_eks_cluster.eks_cluster | ID: BC_AWS_KUBERNETES_2
Description
Amazon EKS creates an endpoint for any managed Kubernetes API server to communicate with the cluster. This API server endpoint is public to the internet by default. Access to it should be regulated using AWS IAM and native Kubernetes RBAC.We recommended that your Kubernetes API server remains private so that all communication between worker nodes and APIs stays within your VPC. If public access is needed, restrict the IP addresses that can access your API server from the internet to reduce the potential attack surface.
🎉 Fixed by commit 67a9cc7 - Prisma Cloud bot fix for terraform/aws/eks.tf
terraform/aws/eks.tf
Outdated
| @@ -114,6 +113,7 @@ resource aws_subnet "eks_subnet2" { | |||
| }) | |||
| } | |||
|
|
|||
|
|
|||
| resource aws_eks_cluster "eks_cluster" { | |||
There was a problem hiding this comment.
AWS EKS cluster security group is overly permissive to all traffic
Resource: aws_eks_cluster.eks_cluster | ID: BC_AWS_KUBERNETES_1
Description
Amazon EKS creates an endpoint for any managed Kubernetes API server to communicate with the cluster. By default, this API server endpoint is public to the internet. Access to it should be regulated using AWS IAM and native Kubernetes RBAC.We recommend that your Kubernetes API server remains private so that all communication between worker nodes and APIs stays within your VPC. If public access is needed, at a minimum, restrict the IP addresses that can access your API server from the internet to reduce the potential attack surface. Ensure your Amazon EKS public endpoint is not accessible to 0.0.0.0/0.
🎉 Fixed by commit 67a9cc7 - Prisma Cloud bot fix for terraform/aws/eks.tf
terraform/aws/eks.tf
Outdated
| @@ -114,6 +113,7 @@ resource aws_subnet "eks_subnet2" { | |||
| }) | |||
| } | |||
|
|
|||
|
|
|||
| resource aws_eks_cluster "eks_cluster" { | |||
There was a problem hiding this comment.
AWS EKS control plane logging disabled
Resource: aws_eks_cluster.eks_cluster | ID: BC_AWS_KUBERNETES_4
How to Fix
resource "aws_eks_cluster" "pike" {
name_prefix= var.name
role_arn = aws_iam_role.pike
vpc_config {
endpoint_public_access = false
subnet_ids = var.subnet_ids
}
tags = {
pike="permissions"
}
encryption_config {
resources = ["secrets"]
}
+ enabled_cluster_log_types = ["api", "audit", "authenticator","controllerManager","scheduler"]
}Description
Amazon EKS control plane logging provides valuable diagnostic logs for all control plane related actions. Logging streams include cover for the following modules:- Kubernetes API server component logs (api)‚ see kube-apiserver in the Kubernetes documentation.
- Audit (audit). Kubernetes audit logs provide a record of the individual users, administrators, or system components that have affected your cluster. For more information, see Auditing in the Kubernetes documentation.
- Authenticator (authenticator). For more information, see authorization in the Kubernetes documentation.
- Controller manager (controllerManager). For more information, see kube-controller-manager in the Kubernetes documentation.
- Scheduler (scheduler). For more information, see kube-scheduler in the Kubernetes documentation.
Amazon EKS control plane logging is used to detect anomalous configuration activity by your customer. It is used to track configuration changes conducted manually and programmatically, and trace back unapproved changes.
Benchmarks
- HIPAA 164.312(B) Audit controls
No description provided.