My Saved Presets
You must be logged in to view saved presets

Loading Library ...

Cloudformation Guard Rules for Amazon EKS

CloudFormation guard rules template for Amazon EKS resources

The following rules are included: 

  • Control Plane Public Access Disabled
  • Control Plane Public Access is Restricted
  • Kubernetes Secrets are Encrypted with KMS
  • Control Plane Logging Enabled

let eks_clusters = Resources.*[
	Type == "AWS::EKS::Cluster"
]

rule eks_private_only when %eks_clusters !empty {
	%eks_clusters {
		Properties {
			ResourcesVpcConfig exists <<ResourcesVpcConfig is not configured. (Public access is enabled by default.)>>
			when ResourcesVpcConfig exists {
				ResourcesVpcConfig {
					EndpointPublicAccess exists <<EndpointPublicAccess is not configured. (enabled by default.)>>
					when EndpointPublicAccess exists {
						EndpointPublicAccess == false <<Public access is enabled.>>
					}
				}
			}
		}
	}
}

rule eks_control_plane_public_access_restricted when %eks_clusters !empty {
	%eks_clusters {
		Properties {
			ResourcesVpcConfig exists <<ResourcesVpcConfig is not configured. (Public access is enabled by default.)>>
			when ResourcesVpcConfig exists {
				ResourcesVpcConfig {
					EndpointPublicAccess exists <<EndpointPublicAccess is not configured. (enabled by default.)>>
					when EndpointPublicAccess exists {
						EndpointPublicAccess == false <<Public access is enabled.>> OR
						EndpointPublicAccess == true
						when EndpointPublicAccess == true {
							PublicAccessCidrs.* {
								this != "0.0.0.0/0" <<Unrestricted public access is enabled.>>
							}
						}
					}
				}
			}
		}
	}
}

rule eks_secrets_encrypted when %eks_clusters !empty {
	%eks_clusters {
		Properties {
			EncryptionConfig exists <<EncryptionConfig is not configured.(Secrets encryption is disabled.)>>
		}
	}
}

rule eks_control_plane_logging when %eks_clusters !empty {
	%eks_clusters {
		Properties {
			Logging exists <<Logging is not configured.>>
			when Logging exists {
				Logging {
					ClusterLogging {
						some EnabledTypes[*].Type == "api" <<Logging is not configured for the API server.>>
						some EnabledTypes[*].Type == "audit" <<Audit logging is not enabled.>>
						some EnabledTypes[*].Type == "authenticator" <<Authenticator logging is not enabled.>>
						some EnabledTypes[*].Type == "controllerManager" <<Controller Manager logging is not enabled.>>
						some EnabledTypes[*].Type == "scheduler" <<Scheduler logging is not enabled.>>
					}
				}
			}
		}
	}
}

Actions



Customize Template

* Required field

© 2024 asecurecloud. All rights reserved.