---
title: EKS node group SSH access should be restricted to specific security groups
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > EKS node group SSH access should be
  restricted to specific security groups
---

# EKS node group SSH access should be restricted to specific security groups
 
## Description{% #description %}

EKS managed node groups with SSH access enabled should restrict ingress to specific security groups rather than allowing connections from `0.0.0.0/0`. When an EC2 SSH key is configured on a node group without specifying source security groups, AWS automatically creates a security group that permits SSH (port 22) from any IP address, exposing the nodes to the internet.

## Remediation{% #remediation %}

Restrict SSH access on the EKS node group by specifying source security groups.

1. Open the [Amazon EKS console](https://console.aws.amazon.com/eks/home#/clusters).
1. Select the cluster, navigate to the **Compute** tab, and select the node group.
1. Update the node group's remote access configuration to include specific source security groups that are authorized for SSH access, or remove the SSH key if remote access is not needed.