aws-network-public-ssh¶
Ensure that the resource or security group allow ingress from 0.0.0.0:0 to port 22 (SSH)
This rule currently applies to the following list of resources:
- Security group
- EKS Node group
Examples¶
Insecure Example¶
EC2 Security Group¶
resource "aws_security_group" "SGBase" {
name = "SGBase"
description = "Base Security Group"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
"SGBase": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Base Security Group",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"CidrIp": "0.0.0.0/0",
"FromPort": 22,
"ToPort": 22
}
]
}
}
EKS Node Group¶
resource "aws_eks_node_group" "example" {
cluster_name = aws_eks_cluster.example.name
node_group_name = "example"
node_role_arn = aws_iam_role.example.arn
subnet_ids = aws_subnet.example[*].id
scaling_config {
desired_size = 1
max_size = 1
min_size = 1
}
depends_on = [
aws_iam_role_policy_attachment.example-AmazonEKSWorkerNodePolicy,
aws_iam_role_policy_attachment.example-AmazonEKS_CNI_Policy,
aws_iam_role_policy_attachment.example-AmazonEC2ContainerRegistryReadOnly,
]
}
"EKSNodegroup": {
"Type": "AWS::EKS::Nodegroup",
"Properties": {
"ClusterName": "prod",
"NodeRole": "arn:aws:iam::012345678910:role/eksInstanceRole",
"ScalingConfig": {
"MinSize": 3,
"DesiredSize": 5,
"MaxSize": 7
},
"Labels": {
"Key1": "Value1",
"Key2": "Value2"
},
"Subnets": [
"subnet-6782e71e",
"subnet-e7e761ac"
]
}
}
Secure Example¶
EC2 Security Group¶
resource "aws_security_group" "SGBase" {
name = "SGBase"
description = "Base Security Group"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["172.217.13.163/32"] # This is just an example, please replace with your own host trusted IP source
}
}
"SGBase": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Base Security Group",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"CidrIp": "172.217.13.163/32", # This is just an example, please replace with your own host trusted IP source
"FromPort": 22,
"ToPort": 22
}
]
}
}
EKS Node Group¶
resource "aws_eks_node_group" "example" {
cluster_name = aws_eks_cluster.example.name
node_group_name = "example"
node_role_arn = aws_iam_role.example.arn
subnet_ids = aws_subnet.example[*].id
scaling_config {
desired_size = 1
max_size = 1
min_size = 1
}
depends_on = [
aws_iam_role_policy_attachment.example-AmazonEKSWorkerNodePolicy,
aws_iam_role_policy_attachment.example-AmazonEKS_CNI_Policy,
aws_iam_role_policy_attachment.example-AmazonEC2ContainerRegistryReadOnly,
]
remote_access: {
ec2_ssh_key = remote_access.value["ec2_ssh_key"]
source_security_group_ids = remote_access.value["source_security_group_ids"]
}
}
"EKSNodegroup": {
"Type": "AWS::EKS::Nodegroup",
"Properties": {
"ClusterName": "prod",
"NodeRole": "arn:aws:iam::012345678910:role/eksInstanceRole",
"ScalingConfig": {
"MinSize": 3,
"DesiredSize": 5,
"MaxSize": 7
},
"Labels": {
"Key1": "Value1",
"Key2": "Value2"
},
"Subnets": [
"subnet-6782e71e",
"subnet-e7e761ac"
]
"RemoteAccess": {
"Ec2SshKey" : "ssh-rsa EXAMPLE",
"SourceSecurityGroups" : ["Group1", "Group2"]
}
}
}