AWS Amazon EKS Cluster

This page shows how to write Terraform and CloudFormation for Amazon EKS Cluster and write them securely.

aws_eks_cluster (Terraform)

The Cluster in Amazon EKS can be configured in Terraform with the resource name aws_eks_cluster. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

aws_eks_control_logging.tf#L1
resource "aws_eks_cluster" "allowed" {
  encryption_config {
    provider  = "x"
    resources = ["y"]
  }
  enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
aws_eks_public_access_denied.tf#L1
resource "aws_eks_cluster" "denied" {
  vpc_config {
  }
}

resource "aws_eks_cluster" "denied_2" {
aws_eks_public_access_allowed.tf#L1
resource "aws_eks_cluster" "allowed" {
  vpc_config {
    endpoint_public_access = false
  }
}

main.tf#L3
resource "aws_eks_cluster" "enabled" {
  name     = "eks"
  role_arn = var.role_arn

  vpc_config {
    subnet_ids = var.subnet_ids
eks-public-endpoint-enabled.tf#L2
resource "aws_eks_cluster" "example" {
  name     = "example"
  role_arn = aws_iam_role.example.arn
  vpc_config {
    subnet_ids = [aws_subnet.example1.id, aws_subnet.example2.id]
  }

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for aws_eks_cluster

There are 4 settings in aws_eks_cluster that should be taken care of for security reasons. The following section explain an overview and example code.

risk-label

Ensure public access for AWS EKS cluster endpoint is disabled

It is better to disable public access for the AWS EKS cluster endpoint. To reduce the security risks, it is recommended to disable public access and to use VPC to connect to the cluster.

risk-label

Ensure a CIDR range for AWS EKS cluster endpoint access is restricted enough

It is better to restrict a CIDR range for AWS EKS cluster endpoint access.

risk-label

Ensure to enable control plane logging of your EKS cluster

It is better to enable EKS control plane logging, which provides diagnostic logs of your clusters to detect anomalous activities.

risk-label

Ensure to enable envelope encryption of EKS secrets

It is better to enable envelope encryption of EKS secrets. Envelope encryption of EKS secrets works as an additional layer of encryption.

Review your AWS Amazon EKS settings

You can check if the aws_eks_cluster setting in your .tf file is correct in 3 min with Shisho Cloud.

Parameters

Explanation in Terraform Registry

Manages an EKS Cluster. > Hands-on: For an example of aws_eks_cluster in use, follow the Provision an EKS Cluster tutorial on HashiCorp Learn.

AWS::EKS::Cluster (CloudFormation)

The Cluster in EKS can be configured in CloudFormation with the resource name AWS::EKS::Cluster. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

EKSSecretEncryption-FAILED.yml#L4
    Type: 'AWS::EKS::Cluster'
    Properties:
      Name: prod
      Version: '1.14'
      RoleArn: >-
        arn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-EXAMPLEBQ4PI
EKSSecretEncryption-FAILED.yml#L4
    Type: 'AWS::EKS::Cluster'
    Properties:
      Name: prod
      Version: '1.14'
      RoleArn: >-
        arn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-EXAMPLEBQ4PI
EKSSecretEncryption-FAILED.yml#L4
    Type: 'AWS::EKS::Cluster'
    Properties:
      Name: prod
      Version: '1.14'
      RoleArn: >-
        arn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-EXAMPLEBQ4PI
EKSSecretEncryption-PASSED.yml#L4
    Type: 'AWS::EKS::Cluster'
    Properties:
      Name: prod
      Version: '1.14'
      RoleArn: >-
        arn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-EXAMPLEBQ4PI
cluster_creation.yml#L3
    Type: 'AWS::EKS::Cluster'
    Properties:
      Name: capstone
      Version: '1.17'
      RoleArn: >-
        arn:aws:iam::482702493340:role/capstone-eksClusterRole-1R1BL5XNESDCS
config.ListDiscoveredResources_1.json#L6
                "resourceType": "AWS::EKS::Cluster",
                "resourceId": "kapil-dev",
                "resourceName": "kapil-dev"
            }
        ],
        "ResponseMetadata": {}
AWS_EKS_MasterNodeVersion.json#L4
            "Type": "AWS::EKS::Cluster",
            "Properties": {
                "Name": "prod",
                "Version": "1.9",
                "RoleArn": "arn:aws:iam::349006084872:role/EKS",
                "ResourcesVpcConfig": {
eks-template.json#L34
      "Type":"AWS::EKS::Cluster",
      "Properties":{
        "Name":{
          "Ref":"ClusterName"
        },
        "Version":{
eks-cluster.json#L26
            "Type": "AWS::EKS::Cluster",
            "Properties":
            {
                "Name": {"Ref": "ClusterName"},
                "Version": "1.11",
                "RoleArn": { "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/${ServiceRole}"},
eks-cluster.json#L26
            "Type": "AWS::EKS::Cluster",
            "Properties":
            {
                "Name": {"Ref": "ClusterName"},
                "Version": "1.11",
                "RoleArn": { "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/${ServiceRole}"},

Parameters

Explanation in CloudFormation Registry

Creates an Amazon EKS control plane. The Amazon EKS control plane consists of control plane instances that run the Kubernetes software, such as etcd and the API server. The control plane runs in an account managed by AWS, and the Kubernetes API is exposed via the Amazon EKS API server endpoint. Each Amazon EKS cluster control plane is single-tenant and unique and runs on its own set of Amazon EC2 instances.

The cluster control plane is provisioned across multiple Availability Zones and fronted by an Elastic Load Balancing Network Load Balancer. Amazon EKS also provisions elastic network interfaces in your VPC subnets to provide connectivity from the control plane instances to the nodes (for example, to support kubectl exec, logs, and proxy data flows).

Amazon EKS nodes run in your AWS account and connect to your cluster's control plane via the Kubernetes API server endpoint and a certificate file that is created for your cluster.

Cluster creation typically takes several minutes. After you create an Amazon EKS cluster, you must configure your Kubernetes tooling to communicate with the API server and launch nodes into your cluster. For more information, see Managing Cluster Authentication and Launching Amazon EKS nodes in the Amazon EKS User Guide.

Frequently asked questions

What is AWS Amazon EKS Cluster?

AWS Amazon EKS Cluster is a resource for Amazon EKS of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Amazon EKS Cluster?

For Terraform, the snyk-labs/infrastructure-as-code-goof, snyk-labs/infrastructure-as-code-goof and snyk-labs/infrastructure-as-code-goof source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the melscoop-test/check, sprathod369/iac-example and bridgecrewio/checkov source code examples are useful. See the CloudFormation Example section for further details.