terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Missing EKS control plane logging. It is recommended to enable at least Kubernetes API server component logs ("api") and audit logs ("audit") of the EKS control plane through the enabled_cluster_log_types attribute.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: eks-insufficient-control-plane-logging
    patterns:
      - pattern: |
          name = ...
      - pattern-inside: |
          resource "aws_eks_cluster" "..." {
            ...
          }
      - pattern-not-inside: |
          resource "aws_eks_cluster" "..." {
            ...
            enabled_cluster_log_types = [..., "api", ..., "audit", ...]
            ...
          }
      - pattern-not-inside: |
          resource "aws_eks_cluster" "..." {
            ...
            enabled_cluster_log_types = [..., "audit", ..., "api", ...]
            ...
          }
    languages:
      - hcl
    message: Missing EKS control plane logging. It is recommended to enable at least
      Kubernetes API server component logs ("api") and audit logs ("audit") of
      the EKS control plane through the enabled_cluster_log_types attribute.
    severity: WARNING
    metadata:
      references:
        - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabling-control-plane-logging
        - https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
      category: security
      cwe:
        - "CWE-778: Insufficient Logging"
      technology:
        - terraform
        - aws
      owasp:
        - A10:2017 - Insufficient Logging & Monitoring
        - A09:2021 - Security Logging and Monitoring Failures
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Insufficient Logging

Examples

eks-insufficient-control-plane-logging.tf

resource "aws_eks_cluster" "insecure_defaults" {
  # ruleid: eks-insufficient-control-plane-logging
  name                      = "my-cluster"
}

resource "aws_eks_cluster" "missing_api_logging" {
  # ruleid: eks-insufficient-control-plane-logging
  name                      = "my-cluster"
  enabled_cluster_log_types = ["audit"]
}


resource "aws_eks_cluster" "ok_1" {
  # ok: eks-insufficient-control-plane-logging
  enabled_cluster_log_types = ["api", "audit"]
  name                      = "my-cluster"
}

resource "aws_eks_cluster" "ok_2" {
  # ok: eks-insufficient-control-plane-logging
  enabled_cluster_log_types = ["audit", "api"]
  name                      = "my-cluster"
}

resource "aws_eks_cluster" "ok_3" {
  # ok: eks-insufficient-control-plane-logging
  enabled_cluster_log_types = ["api", "somethingelse", "audit"]
  name                      = "my-cluster"
}

resource "aws_eks_cluster" "eks_cluster" {
  name                      = "my-cluster-${var.test}"
  # ok: eks-insufficient-control-plane-logging
  enabled_cluster_log_types = [
    "api",
    "audit",
    "authenticator",
    "controllerManager",
    "scheduler"
  ]

  dynamic "encryption_config" {
    for_each = 1
    content {
      provider {
        key_arn = aws_kms_key.k8s_cluster_secret_encryption_key.arn
      }
      resources = [
        "secrets"
      ]
    }
  }
}