For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-7os.md. A documentation index is available at /llms.txt.

EKS node group SSH access should be restricted to specific security groups

eks

Description

EKS managed node groups with SSH access enabled should restrict ingress to specific security groups rather than allowing connections from 0.0.0.0/0. When an EC2 SSH key is configured on a node group without specifying source security groups, AWS automatically creates a security group that permits SSH (port 22) from any IP address, exposing the nodes to the internet.

Remediation

Restrict SSH access on the EKS node group by specifying source security groups.

  1. Open the Amazon EKS console.
  2. Select the cluster, navigate to the Compute tab, and select the node group.
  3. Update the node group’s remote access configuration to include specific source security groups that are authorized for SSH access, or remove the SSH key if remote access is not needed.