Skip to content

aws-network-public-ssh

Ensure that the resource or security group allow ingress from 0.0.0.0:0 to port 22 (SSH)

This rule currently applies to the following list of resources:

  • Security group
  • EKS Node group

Examples

Insecure Example

EC2 Security Group

resource "aws_security_group" "SGBase" {
  name        = "SGBase"
  description = "Base Security Group"

  ingress {
    from_port        = 22
    to_port          = 22
    protocol         = "tcp"
    cidr_blocks      = ["0.0.0.0/0"]
  }
}
"SGBase": {
   "Type": "AWS::EC2::SecurityGroup",
   "Properties": {
      "GroupDescription": "Base Security Group",
      "SecurityGroupIngress": [
         {
            "IpProtocol": "tcp",
            "CidrIp": "0.0.0.0/0",
            "FromPort": 22,
            "ToPort": 22
         }
      ]
   }
}

EKS Node Group

resource "aws_eks_node_group" "example" {
  cluster_name    = aws_eks_cluster.example.name
  node_group_name = "example"
  node_role_arn   = aws_iam_role.example.arn
  subnet_ids      = aws_subnet.example[*].id

  scaling_config {
    desired_size = 1
    max_size     = 1
    min_size     = 1
  }

  depends_on = [
    aws_iam_role_policy_attachment.example-AmazonEKSWorkerNodePolicy,
    aws_iam_role_policy_attachment.example-AmazonEKS_CNI_Policy,
    aws_iam_role_policy_attachment.example-AmazonEC2ContainerRegistryReadOnly,
  ]
}
"EKSNodegroup": {
    "Type": "AWS::EKS::Nodegroup",
    "Properties": {
        "ClusterName": "prod",
        "NodeRole": "arn:aws:iam::012345678910:role/eksInstanceRole",
        "ScalingConfig": {
            "MinSize": 3,
            "DesiredSize": 5,
            "MaxSize": 7
        },
        "Labels": {
            "Key1": "Value1",
            "Key2": "Value2"
        },
        "Subnets": [
            "subnet-6782e71e",
            "subnet-e7e761ac"
        ]
    }
}

Secure Example

EC2 Security Group

resource "aws_security_group" "SGBase" {
  name        = "SGBase"
  description = "Base Security Group"

  ingress {
    from_port        = 22
    to_port          = 22
    protocol         = "tcp"
    cidr_blocks      = ["172.217.13.163/32"] # This is just an example, please replace with your own host trusted IP source
  }
}
"SGBase": {
   "Type": "AWS::EC2::SecurityGroup",
   "Properties": {
      "GroupDescription": "Base Security Group",
      "SecurityGroupIngress": [
         {
            "IpProtocol": "tcp",
            "CidrIp": "172.217.13.163/32", # This is just an example, please replace with your own host trusted IP source
            "FromPort": 22,
            "ToPort": 22
         }
      ]
   }
}

EKS Node Group

resource "aws_eks_node_group" "example" {
  cluster_name    = aws_eks_cluster.example.name
  node_group_name = "example"
  node_role_arn   = aws_iam_role.example.arn
  subnet_ids      = aws_subnet.example[*].id

  scaling_config {
    desired_size = 1
    max_size     = 1
    min_size     = 1
  }

  depends_on = [
    aws_iam_role_policy_attachment.example-AmazonEKSWorkerNodePolicy,
    aws_iam_role_policy_attachment.example-AmazonEKS_CNI_Policy,
    aws_iam_role_policy_attachment.example-AmazonEC2ContainerRegistryReadOnly,
  ]

  remote_access: {
      ec2_ssh_key =  remote_access.value["ec2_ssh_key"]
      source_security_group_ids = remote_access.value["source_security_group_ids"]
  }
}
"EKSNodegroup": {
    "Type": "AWS::EKS::Nodegroup",
    "Properties": {
        "ClusterName": "prod",
        "NodeRole": "arn:aws:iam::012345678910:role/eksInstanceRole",
        "ScalingConfig": {
            "MinSize": 3,
            "DesiredSize": 5,
            "MaxSize": 7
        },
        "Labels": {
            "Key1": "Value1",
            "Key2": "Value2"
        },
        "Subnets": [
            "subnet-6782e71e",
            "subnet-e7e761ac"
        ]
        "RemoteAccess": {
            "Ec2SshKey" : "ssh-rsa EXAMPLE",
            "SourceSecurityGroups" : ["Group1", "Group2"]
        }
    }
}

More information