feat(aws) Add check to make sure EKS clusters have a supported version (#4604)

Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
2025-12-19 05:17:47 +00:00 · 2024-08-06 10:40:05 -07:00
parent f746a9e742
commit 086c203e6b
10 changed files with 288 additions and 1 deletions
--- a/docs/tutorials/configuration_file.md
+++ b/docs/tutorials/configuration_file.md
@@ -44,7 +44,7 @@ The following list includes all the AWS checks with configurable variables that
 | `ec2_securitygroup_allow_ingress_from_internet_to_any_port`   | `ec2_allowed_instance_owners`                    | List of Strings |
 | `acm_certificates_expiration_check`                           | `days_to_expire_threshold`                       | Integer         |
 | `eks_control_plane_logging_all_types_enabled`                 | `eks_required_log_types`                         | List of Strings |
-
+| `eks_cluster_uses_a_supported_version`                        | `eks_cluster_oldest_version_supported`                 | String          |

 ## Azure

@@ -368,6 +368,10 @@ aws:
      "scheduler",
    ]

+  # aws.eks_cluster_uses_a_supported_version
+  # EKS clusters must be version 1.28 or higher
+  eks_cluster_oldest_version_supported: "1.28"
+
 # Azure Configuration
 azure:
  # Azure Network Configuration
--- a/prowler/config/config.yaml
+++ b/prowler/config/config.yaml
@@ -284,6 +284,10 @@ aws:
      "scheduler",
    ]

+  # aws.eks_cluster_uses_a_supported_version
+  # EKS clusters must be version 1.28 or higher
+  eks_cluster_oldest_version_supported: "1.28"
+
 # Azure Configuration
 azure:
  # Azure Network Configuration
--- a/prowler/providers/aws/services/eks/eks_cluster_uses_a_supported_version/init.py
+++ b/prowler/providers/aws/services/eks/eks_cluster_uses_a_supported_version/init.py
--- a/prowler/providers/aws/services/eks/eks_cluster_uses_a_supported_version/eks_cluster_uses_a_supported_version.metadata.json
+++ b/prowler/providers/aws/services/eks/eks_cluster_uses_a_supported_version/eks_cluster_uses_a_supported_version.metadata.json
@@ -0,0 +1,32 @@
+{
+  "Provider": "aws",
+  "CheckID": "eks_cluster_uses_a_supported_version",
+  "CheckTitle": "Ensure Kubernetes cluster runs on a supported Kubernetes version",
+  "CheckType": [],
+  "ServiceName": "eks",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "Severity": "high",
+  "ResourceType": "AwsEksCluster",
+  "Description": "Ensure Kubernetes cluster runs on a supported Kubernetes version",
+  "Risk": "Running an Amazon EKS cluster on an unsupported Kubernetes version exposes it to common security vulnerabilities",
+  "RelatedUrl": "https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html",
+  "Remediation": {
+    "Code": {
+      "CLI": "aws eks update-cluster-version --region <region> --name <cluster_name> --kubernetes-version <latest_supported_version>",
+      "NativeIaC": "",
+      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EKS/kubernetes-version.html",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "If your application doesn't require a specific version of Kubernetes, we recommend that you use the latest available Kubernetes version that is supported by EKS for your clusters.",
+      "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/eks-controls.html#eks-2"
+    }
+  },
+  "Categories": [
+    "vulnerabilities"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}
--- a/prowler/providers/aws/services/eks/eks_cluster_uses_a_supported_version/eks_cluster_uses_a_supported_version.py
+++ b/prowler/providers/aws/services/eks/eks_cluster_uses_a_supported_version/eks_cluster_uses_a_supported_version.py
@@ -0,0 +1,39 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.eks.eks_client import eks_client
+
+
+class eks_cluster_uses_a_supported_version(Check):
+    def execute(self) -> Check_Report_AWS:
+        findings = []
+
+        eks_cluster_oldest_version_supported = eks_client.audit_config.get(
+            "eks_cluster_oldest_version_supported", "1.28"
+        )
+        eks_version_major, eks_version_minor = map(
+            int, eks_cluster_oldest_version_supported.split(".")
+        )
+
+        for cluster in eks_client.clusters:
+            report = Check_Report_AWS(self.metadata())
+            report.region = cluster.region
+            report.resource_id = cluster.name
+            report.resource_arn = cluster.arn
+            report.resource_tags = cluster.tags
+
+            cluster_version_major, cluster_version_minor = map(
+                int, cluster.version.split(".")
+            )
+
+            if (cluster_version_major < eks_version_major) or (
+                cluster_version_major == eks_version_major
+                and cluster_version_minor < eks_version_minor
+            ):
+                report.status = "FAIL"
+                report.status_extended = f"EKS cluster {cluster.name} is using version {cluster.version}. It should be one of the supported versions: {eks_cluster_oldest_version_supported} or higher."
+            else:
+                report.status = "PASS"
+                report.status_extended = f"EKS cluster {cluster.name} is using version {cluster.version} that is supported by AWS."
+
+            findings.append(report)
+
+        return findings
--- a/prowler/providers/aws/services/eks/eks_service.py
+++ b/prowler/providers/aws/services/eks/eks_service.py
@@ -85,6 +85,7 @@ class EKS(AWSService):
                if "encryptionConfig" in describe_cluster["cluster"]:
                    cluster.encryptionConfig = True
                cluster.tags = [describe_cluster["cluster"].get("tags")]
+                cluster.version = describe_cluster["cluster"].get("version", "")

        except Exception as error:
            logger.error(
@@ -101,6 +102,7 @@ class EKSCluster(BaseModel):
    name: str
    arn: str
    region: str
+    version: str = None
    logging: EKSClusterLoggingEntity = None
    security_group_id: str = None
    endpoint_public_access: bool = None
--- a/tests/config/config_test.py
+++ b/tests/config/config_test.py
@@ -269,6 +269,7 @@ config_aws = {
        "controllerManager",
        "scheduler",
    ],
+    "eks_cluster_oldest_version_supported": "1.28",
 }

 config_azure = {
--- a/tests/config/fixtures/config.yaml
+++ b/tests/config/fixtures/config.yaml
@@ -284,6 +284,9 @@ aws:
        "scheduler",
    ]

+  # aws.eks_cluster_uses_a_supported_version
+  # EKS clusters must be version 1.28 or higher
+  eks_cluster_oldest_version_supported: "1.28"

 # Azure Configuration
 azure:
--- a/tests/providers/aws/services/eks/eks_cluster_uses_a_supported_version/eks_cluster_uses_a_supported_version.py
+++ b/tests/providers/aws/services/eks/eks_cluster_uses_a_supported_version/eks_cluster_uses_a_supported_version.py
@@ -0,0 +1,201 @@
+from unittest import mock
+
+from prowler.providers.aws.services.eks.eks_service import EKSCluster
+from tests.providers.aws.utils import AWS_ACCOUNT_NUMBER, AWS_REGION_EU_WEST_1
+
+cluster_name = "cluster_test"
+cluster_arn = (
+    f"arn:aws:eks:{AWS_REGION_EU_WEST_1}:{AWS_ACCOUNT_NUMBER}:cluster/{cluster_name}"
+)
+
+
+class Test_eks_cluster_ensure_version_is_supported:
+    def test_no_clusters(self):
+        eks_client = mock.MagicMock
+        eks_client.clusters = []
+        with mock.patch(
+            "prowler.providers.aws.services.eks.eks_service.EKS",
+            eks_client,
+        ):
+            from prowler.providers.aws.services.eks.eks_cluster_uses_a_supported_version.eks_cluster_uses_a_supported_version import (
+                eks_cluster_uses_a_supported_version,
+            )
+
+            check = eks_cluster_uses_a_supported_version()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_eks_cluster_not_using_a_supported_minor_version(self):
+        eks_client = mock.MagicMock
+        eks_client.audit_config = {"eks_cluster_oldest_version_supported": "1.28"}
+        eks_client.clusters = []
+        eks_client.clusters.append(
+            EKSCluster(
+                name=cluster_name,
+                version="1.22",
+                arn=cluster_arn,
+                region=AWS_REGION_EU_WEST_1,
+                logging=None,
+            )
+        )
+
+        with mock.patch(
+            "prowler.providers.aws.services.eks.eks_service.EKS",
+            eks_client,
+        ):
+            from prowler.providers.aws.services.eks.eks_cluster_uses_a_supported_version.eks_cluster_uses_a_supported_version import (
+                eks_cluster_uses_a_supported_version,
+            )
+
+            check = eks_cluster_uses_a_supported_version()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"EKS cluster {cluster_name} is in version 1.22. It should be one of the next supported versions: 1.28 or higher"
+            )
+            assert result[0].resource_id == cluster_name
+            assert result[0].resource_arn == cluster_arn
+            assert result[0].resource_tags == []
+            assert result[0].region == AWS_REGION_EU_WEST_1
+
+    def test_eks_cluster_not_using_a_supported_major_version(self):
+        eks_client = mock.MagicMock
+        eks_client.audit_config = {"eks_cluster_oldest_version_supported": "1.28"}
+        eks_client.clusters = []
+        eks_client.clusters.append(
+            EKSCluster(
+                name=cluster_name,
+                version="0.22",
+                arn=cluster_arn,
+                region=AWS_REGION_EU_WEST_1,
+                logging=None,
+            )
+        )
+
+        with mock.patch(
+            "prowler.providers.aws.services.eks.eks_service.EKS",
+            eks_client,
+        ):
+            from prowler.providers.aws.services.eks.eks_cluster_uses_a_supported_version.eks_cluster_uses_a_supported_version import (
+                eks_cluster_uses_a_supported_version,
+            )
+
+            check = eks_cluster_uses_a_supported_version()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"EKS cluster {cluster_name} is in version 0.22. It should be one of the next supported versions: 1.28 or higher"
+            )
+            assert result[0].resource_id == cluster_name
+            assert result[0].resource_arn == cluster_arn
+            assert result[0].resource_tags == []
+            assert result[0].region == AWS_REGION_EU_WEST_1
+
+    def test_eks_cluster_using_a_supported_version_ver_1_28(self):
+        eks_client = mock.MagicMock
+        eks_client.audit_config = {"eks_cluster_oldest_version_supported": "1.28"}
+        eks_client.clusters = []
+        eks_client.clusters.append(
+            EKSCluster(
+                name=cluster_name,
+                version="1.28",
+                arn=cluster_arn,
+                region=AWS_REGION_EU_WEST_1,
+                logging=None,
+            )
+        )
+
+        with mock.patch(
+            "prowler.providers.aws.services.eks.eks_service.EKS",
+            eks_client,
+        ):
+            from prowler.providers.aws.services.eks.eks_cluster_uses_a_supported_version.eks_cluster_uses_a_supported_version import (
+                eks_cluster_uses_a_supported_version,
+            )
+
+            check = eks_cluster_uses_a_supported_version()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"EKS cluster {cluster_name} is using version 1.28 that is supported by AWS."
+            )
+            assert result[0].resource_id == cluster_name
+            assert result[0].resource_arn == cluster_arn
+            assert result[0].resource_tags == []
+            assert result[0].region == AWS_REGION_EU_WEST_1
+
+    def test_eks_cluster_using_a_supported_version_ver_1_29(self):
+        eks_client = mock.MagicMock
+        eks_client.audit_config = {"eks_cluster_oldest_version_supported": "1.28"}
+        eks_client.clusters = []
+        eks_client.clusters.append(
+            EKSCluster(
+                name=cluster_name,
+                version="1.29",
+                arn=cluster_arn,
+                region=AWS_REGION_EU_WEST_1,
+                logging=None,
+            )
+        )
+
+        with mock.patch(
+            "prowler.providers.aws.services.eks.eks_service.EKS",
+            eks_client,
+        ):
+            from prowler.providers.aws.services.eks.eks_cluster_uses_a_supported_version.eks_cluster_uses_a_supported_version import (
+                eks_cluster_uses_a_supported_version,
+            )
+
+            check = eks_cluster_uses_a_supported_version()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"EKS cluster {cluster_name} is using version 1.29 that is supported by AWS."
+            )
+            assert result[0].resource_id == cluster_name
+            assert result[0].resource_arn == cluster_arn
+            assert result[0].resource_tags == []
+            assert result[0].region == AWS_REGION_EU_WEST_1
+
+    def test_eks_cluster_using_a_supported_version_ver_1_30(self):
+        eks_client = mock.MagicMock
+        eks_client.audit_config = {"eks_cluster_oldest_version_supported": "1.28"}
+        eks_client.clusters = []
+        eks_client.clusters.append(
+            EKSCluster(
+                name=cluster_name,
+                version="1.30",
+                arn=cluster_arn,
+                region=AWS_REGION_EU_WEST_1,
+                logging=None,
+            )
+        )
+
+        with mock.patch(
+            "prowler.providers.aws.services.eks.eks_service.EKS",
+            eks_client,
+        ):
+            from prowler.providers.aws.services.eks.eks_cluster_uses_a_supported_version.eks_cluster_uses_a_supported_version import (
+                eks_cluster_uses_a_supported_version,
+            )
+
+            check = eks_cluster_uses_a_supported_version()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"EKS cluster {cluster_name} is using version 1.30 that is supported by AWS."
+            )
+            assert result[0].resource_id == cluster_name
+            assert result[0].resource_arn == cluster_arn
+            assert result[0].resource_tags == []
+            assert result[0].region == AWS_REGION_EU_WEST_1
--- a/tests/providers/aws/services/eks/eks_service_test.py
+++ b/tests/providers/aws/services/eks/eks_service_test.py
@@ -138,3 +138,4 @@ class Test_EKS_Service:
        assert eks.clusters[0].endpoint_private_access
        assert eks.clusters[0].public_access_cidrs == ["0.0.0.0/0"]
        assert eks.clusters[0].encryptionConfig
+        assert eks.clusters[0].version == "1.10"