Improve AWS review EKS posture gates

[shensz2017]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: aws-review
Skill path: skills/cloud/aws-review/

Closes #2093.

What Was Wrong

The AWS review skill covered CIS AWS v3.0.0 sections for IAM, storage, logging, monitoring, and networking, but it did not evaluate EKS cluster posture. That can let EKS fall between generic AWS checks and the separate container-security skill: Terraform can declare risky aws_eks_cluster settings without any EKS evidence row in the AWS posture report.

Missed cases included:

• Public EKS API endpoints open to 0.0.0.0/0 or ::/0.
• Bootstrap cluster creator admin and legacy access modes left unreviewed.
• Missing EKS Pod Identity or IRSA evidence for workloads that call AWS APIs.
• Broad node roles or missing launch-template IMDSv2 evidence.
• Missing KMS secrets encryption and control-plane logs.
• Missing VPC CNI/private subnet/security-groups-for-pods evidence.

What This PR Fixes

This PR adds a supplemental EKS posture gate to aws-review while keeping manifest-level Kubernetes review delegated to container-security.

Changes include:

• Adds Step 7: Supplemental EKS Cluster Posture Evidence to SKILL.md.
• Adds an EKS evidence table to the report output.
• Adds AWS-EKS-01 through AWS-EKS-07 finding triggers.
• Extends benchmark-checklist.md with concrete Terraform review checks for EKS clusters, node groups, Pod Identity, endpoint access, secrets encryption, and control-plane logs.
• Adds a common pitfall warning for EKS cluster controls falling between skills.
• Adds AWS documentation references for EKS endpoint access, Pod Identity, and security best practices.
• Adds benign and vulnerable Terraform fixtures.

Evidence

Before (skill misses this):

resource "aws_eks_cluster" "admin" {
  vpc_config {
    endpoint_private_access = false
    endpoint_public_access  = true
    public_access_cidrs     = ["0.0.0.0/0"]
  }

  access_config {
    authentication_mode                         = "CONFIG_MAP"
    bootstrap_cluster_creator_admin_permissions = true
  }
}

After (now correctly handled):

AWS-EKS-02: Public endpoint is enabled with 0.0.0.0/0 or ::/0 public access CIDRs without documented compensating control
AWS-EKS-03: Bootstrap cluster creator admin is enabled or access mode evidence is missing
AWS-EKS-04: Pod Identity or IRSA evidence is absent for workloads that need AWS API access

Test Cases Added/Updated

• Added vulnerable test cases (tests/vulnerable/)
• Added benign test cases (tests/benign/)
• Existing checks still pass

Added fixtures:

• skills/cloud/aws-review/tests/vulnerable/public-eks-bootstrap-admin.tf
• skills/cloud/aws-review/tests/benign/private-eks-pod-identity.tf

Validation

• git diff --cached --check
• Workflow-equivalent frontmatter required-field check
• Index file-existence check
• Markdown fence balance check for changed markdown files
• Changed-file ASCII check
• Prompt-injection pattern scan equivalent to .github/workflows/injection-scan.yml
• Marker checks for AWS-EKS-*, Supplemental EKS Evidence, endpoint_private_access, endpoint_public_access, public_access_cidrs, bootstrap_cluster_creator_admin_permissions, aws_eks_pod_identity_association, enabled_cluster_log_types, and encryption_config

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: GitHub Sponsors or private details after acceptance