--- title: EKS cluster has public access description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > EKS cluster has public access --- # EKS cluster has public access {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-eks-cluster-has-public-access` **Provider:** AWS **Platform:** Terraform **Severity:** Medium **Category:** Insecure Configurations #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster) ### Description{% #description %} This check verifies that the `endpoint_public_access` attribute within the `vpc_config` block of an `aws_eks_cluster` resource is set to `false`. Allowing public access by setting `endpoint_public_access = true` exposes the EKS cluster's management endpoint to the internet, substantially increasing the risk of unauthorized access or potential attacks. Restricting the endpoint to private access ensures that only resources within the VPC can communicate with the EKS API, reducing the cluster's exposure and improving overall security. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_eks_cluster" "negative1" { name = "example" role_arn = aws_iam_role.example.arn vpc_config { subnet_ids = [aws_subnet.example1.id, aws_subnet.example2.id] endpoint_public_access = false } # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling. # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups. depends_on = [ aws_iam_role_policy_attachment.example-AmazonEKSClusterPolicy, ] } output "endpoint" { value = aws_eks_cluster.example.endpoint } output "kubeconfig-certificate-authority-data" { value = aws_eks_cluster.example.certificate_authority[0].data } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "aws_eks_cluster" "positive1" { name = "example" role_arn = aws_iam_role.example.arn vpc_config { subnet_ids = [aws_subnet.example1.id, aws_subnet.example2.id] endpoint_public_access = true } # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling. # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups. depends_on = [ aws_iam_role_policy_attachment.example-AmazonEKSClusterPolicy, ] } output "endpoint" { value = aws_eks_cluster.example.endpoint } output "kubeconfig-certificate-authority-data" { value = aws_eks_cluster.example.certificate_authority[0].data } ```