/
eks_endpoint_no_public_access.guard
44 lines (41 loc) · 1.51 KB
/
eks_endpoint_no_public_access.guard
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#
#####################################
## Gherkin ##
#####################################
# Rule Identifier:
# EKS_ENDPOINT_NO_PUBLIC_ACCESS
#
# Description:
# Checks whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible.
#
# Reports on:
# AWS::EKS::Cluster
#
# Evaluates:
# AWS CloudFormation
#
# Rule Parameters:
# NA
#
# Scenarios:
# a) SKIP: when there are no EKS clusters present
# b) PASS: when all EKS cluster endpoints are not publicly accessible
# c) FAIL: when any EKS cluster endpoints are publicly accessible
# d) SKIP: when metada has rule suppression for EKS_ENDPOINT_NO_PUBLIC_ACCESS
#
# Select all EKS cluster resources from incoming template (payload)
#
let amazon_eks_clusters_endpoint_no_public_access = Resources.*[ Type == 'AWS::EKS::Cluster'
Metadata.guard.SuppressedRules not exists or
Metadata.guard.SuppressedRules.* != "EKS_ENDPOINT_NO_PUBLIC_ACCESS"
]
rule EKS_ENDPOINT_NO_PUBLIC_ACCESS when %amazon_eks_clusters_endpoint_no_public_access !empty {
# ensure the optional parameter is specified in the template
%amazon_eks_clusters_endpoint_no_public_access.Properties.ResourcesVpcConfig.EndpointPublicAccess EXISTS
# ensure the parameter is set to false
%amazon_eks_clusters_endpoint_no_public_access.Properties.ResourcesVpcConfig.EndpointPublicAccess == false
<<
Violation: EKS endpoint public access is not allowed.
Fix: Set the boolean parameter ResourcesVpcConfig.EndpointPublicAccess to false
>>
}