terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging
semgrep
Author
unknown
Download Count*
License
Missing EKS control plane logging. It is recommended to enable at least Kubernetes API server component logs ("api") and audit logs ("audit") of the EKS control plane through the enabled_cluster_log_types attribute.
Run Locally
Run in CI
Defintion
rules:
- id: eks-insufficient-control-plane-logging
patterns:
- pattern: |
name = ...
- pattern-inside: |
resource "aws_eks_cluster" "..." {
...
}
- pattern-not-inside: |
resource "aws_eks_cluster" "..." {
...
enabled_cluster_log_types = [..., "api", ..., "audit", ...]
...
}
- pattern-not-inside: |
resource "aws_eks_cluster" "..." {
...
enabled_cluster_log_types = [..., "audit", ..., "api", ...]
...
}
languages:
- hcl
message: Missing EKS control plane logging. It is recommended to enable at least
Kubernetes API server component logs ("api") and audit logs ("audit") of
the EKS control plane through the enabled_cluster_log_types attribute.
severity: WARNING
metadata:
references:
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabling-control-plane-logging
- https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
category: security
cwe:
- "CWE-778: Insufficient Logging"
technology:
- terraform
- aws
owasp:
- A10:2017 - Insufficient Logging & Monitoring
- A09:2021 - Security Logging and Monitoring Failures
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Insufficient Logging
Examples
eks-insufficient-control-plane-logging.tf
resource "aws_eks_cluster" "insecure_defaults" {
# ruleid: eks-insufficient-control-plane-logging
name = "my-cluster"
}
resource "aws_eks_cluster" "missing_api_logging" {
# ruleid: eks-insufficient-control-plane-logging
name = "my-cluster"
enabled_cluster_log_types = ["audit"]
}
resource "aws_eks_cluster" "ok_1" {
# ok: eks-insufficient-control-plane-logging
enabled_cluster_log_types = ["api", "audit"]
name = "my-cluster"
}
resource "aws_eks_cluster" "ok_2" {
# ok: eks-insufficient-control-plane-logging
enabled_cluster_log_types = ["audit", "api"]
name = "my-cluster"
}
resource "aws_eks_cluster" "ok_3" {
# ok: eks-insufficient-control-plane-logging
enabled_cluster_log_types = ["api", "somethingelse", "audit"]
name = "my-cluster"
}
resource "aws_eks_cluster" "eks_cluster" {
name = "my-cluster-${var.test}"
# ok: eks-insufficient-control-plane-logging
enabled_cluster_log_types = [
"api",
"audit",
"authenticator",
"controllerManager",
"scheduler"
]
dynamic "encryption_config" {
for_each = 1
content {
provider {
key_arn = aws_kms_key.k8s_cluster_secret_encryption_key.arn
}
resources = [
"secrets"
]
}
}
}
Short Link: https://sg.run/wZ3n