Skip to content


Sample rules

A few rules that use objects from this package:

from typing import List, Dict

from import AwsBaseRule
from import AwsEnvironmentContext
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType

class PublicAccessEksApiRule(AwsBaseRule):

    def get_id(self) -> str:
        return 'public_access_eks_api'

    def execute(self, env_context: AwsEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []
        for eks_cluster in env_context.eks_clusters:
            violating_security_group = eks_cluster.security_group_allowing_public_access
            if violating_security_group:
                    f'~Internet~. '
                    f'{eks_cluster.get_type()} `{eks_cluster.get_friendly_name()}` '
                    f'is on {eks_cluster.network_resource.vpc.get_type()}'
                    f' `{eks_cluster.network_resource.vpc.get_friendly_name()}`. '
                    f'Master is protected by security groups '
                    f'`{", ".join([x.get_friendly_name() for x in eks_cluster.network_resource.security_groups])}`. '
                    f'{eks_cluster.get_type()} uses subnets'
                    f' `{", ".join([x.get_friendly_name() for x in eks_cluster.network_resource.subnets])}`. '
                    f"Subnets rely on Network ACL's "
                    f'`{", ".join([x.network_acl.get_friendly_name() for x in eks_cluster.network_resource.subnets])}`. '
                    f'They also rely on Route tables '
                    f'`{", ".join([x.route_table.get_friendly_name() for x in eks_cluster.network_resource.subnets])}`. '
                    f'{eks_cluster.get_type()} is set to be publicly accessible',

        return issues

    def should_run_rule(self, environment_context: AwsEnvironmentContext) -> bool:
        return bool(environment_context.eks_clusters)

EksCluster (NetworkEntity, INetworkConfiguration)


Name Type Description

The name of the EKS Cluster.

arn str

The ARN of the EKS Cluster.

role_arn str

The ARN of the role used with the cluster.

endpoint str

The endpoint of the cluster.


The IDs of the security groups used by nodes in the cluster.

cluster_security_group_id Optional[str]

The id of the security group used with the endpoint.


The subnets the nodes are attached to.

endpoint_public_access bool

True if the endpoint allows public access.

endpoint_private_access bool

True if the endpoint allows private access.

public_access_cidrs List[str]

The CIDR blocks public access is allowed from.

port int

The port the endpoint is listening on.

security_group_allowing_public_access Optional[SecurityGroup]

A security group that allows access from the internet. This value will be None when this resource is not accessible from the internet.

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process