False Positive report for EKS Clusters should have the public access disabled

[korporationcl]

IDs

AVD-AWS-0041, AVD-AWS-0040

Description

Trivy incorrectly flagged the EKS cluster configuration for public endpoint exposure.

Evidence

Current aws_eks_cluster configuration:

vpc_config {
  endpoint_private_access = true
  endpoint_public_access  = false

this triggers:

AVD-AWS-0040 (CRITICAL): Public cluster access is enabled.
════════════════════════════════════════
EKS clusters are available publicly by default, this should be explicitly disabled in the vpc_config of the EKS cluster resource.
See https://avd.aquasec.com/misconfig/avd-aws-0040


────────────────────────────────────────
AVD-AWS-0041 (CRITICAL): Cluster allows access from a public CIDR: 0.0.0.0/0
════════════════════════════════════════
EKS Clusters have public access cidrs set to 0.0.0.0/0 by default which is wide open to the internet. This should be explicitly set to a more specific private CIDR range
See https://avd.aquasec.com/misconfig/avd-aws-0041

moreover if you try to do something like:

public_access_cidrs     = []

Applying this change (with Terraform), will fail with:

Error: updating EKS Cluster (xxxxx) VPC configuration: operation error EKS: UpdateClusterConfig, https response error StatusCode: 400, RequestID: xxxxxxx, InvalidParameterException: Cluster is already at the desired configuration with endpointPrivateAccess: true , endpointPublicAccess: false, and Public Endpoint Restrictions: [0.0.0.0/0]

Reproduction Steps

1. Manage your EKS cluster with Terraform using the code previously presented.
2. Run Trivy scan and wait until fails

Target

Git Repository

Scanner

Misconfiguration

Target OS

No response

Debug Output

$ trivy config --severity HIGH,CRITICAL --cache-dir ${TRIVY_CACHE_DIR} --exit-code 0 ${TF_PLAN_PATH}.tfplan.json
2025-12-09T03:15:54Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-12-09T03:15:56Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-12-09T03:15:56Z	INFO	Detected config files	num=2
Report Summary
┌─────────┬───────────────┬───────────────────┐
│ Target  │     Type      │ Misconfigurations │
├─────────┼───────────────┼───────────────────┤
│ .       │ terraformplan │         0         │
├─────────┼───────────────┼───────────────────┤
│ main.tf │ terraformplan │         3         │
└─────────┴───────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
main.tf (terraformplan)
=======================
Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (HIGH: 1, CRITICAL: 2)
AVD-AWS-0039 (HIGH): Cluster does not have secret encryption enabled.
════════════════════════════════════════
EKS cluster resources should have the encryption_config block set with protection of the secrets resource.
See https://avd.aquasec.com/misconfig/avd-aws-0039
────────────────────────────────────────
 main.tf:150-212
────────────────────────────────────────
 150 ┌ resource "aws_eks_cluster" "cluster_900f3fd5151516548eceed205a9eed1d" {
 151 │ 	arn = "arn:aws:eks:xxxxx:xxx:cluster/xxxxx"
 152 │ 	bootstrap_self_managed_addons = true
 153 │ 	created_at = "2024-06-05T20:05:24Z"
 154 │ 	deletion_protection = true
 155 │ 	enabled_cluster_log_types = "api"
 156 │ 	endpoint = "https://xxxxxxx"
 157 │ 	id = "xxxxx"
 158 └ 	name = "xxxxxxxxxx"
 ...   
────────────────────────────────────────
AVD-AWS-0040 (CRITICAL): Public cluster access is enabled.
════════════════════════════════════════
EKS clusters are available publicly by default, this should be explicitly disabled in the vpc_config of the EKS cluster resource.
See https://avd.aquasec.com/misconfig/avd-aws-0040
────────────────────────────────────────
 main.tf:197-211
   via main.tf:150-212 (aws_eks_cluster.cluster_900f3fd5151516548eceed205a9eed1d)
────────────────────────────────────────
 150   resource "aws_eks_cluster" "cluster_900f3fd5151516548eceed205a9eed1d" {
 ...   
 197 ┌ vpc_config {
 198 │ 	cluster_security_group_id = "sg-xxxxxxx"
 199 │ 	endpoint_private_access = true
 200 │ 	security_group_ids = [
 201 │ 	"xxxxxxxxxx",
 202 │ ]
 203 └ 	subnet_ids = [
 ...   
────────────────────────────────────────
AVD-AWS-0041 (CRITICAL): Cluster allows access from a public CIDR: 0.0.0.0/0
════════════════════════════════════════
EKS Clusters have public access cidrs set to 0.0.0.0/0 by default which is wide open to the internet. This should be explicitly set to a more specific private CIDR range
See https://avd.aquasec.com/misconfig/avd-aws-0041
────────────────────────────────────────
 main.tf:197-211
   via main.tf:150-212 (aws_eks_cluster.cluster_900f3fd5151516548eceed205a9eed1d)
────────────────────────────────────────
 150   resource "aws_eks_cluster" "cluster_900f3fd5151516548eceed205a9eed1d" {
 ...   
 197 ┌ vpc_config {
 198 │ 	cluster_security_group_id = "sg-xxxxxx"
 199 │ 	endpoint_private_access = true
 200 │ 	security_group_ids = [
 201 │ 	"sg-xxxxxxxxx",
 202 │ ]
 203 └ 	subnet_ids = [

Version

0.68.1

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[nikpivkin]

Hi @korporationcl !

I scanned your configuration example and did not reproduce the problem:

❯ cat main.tf
resource "aws_eks_cluster" "test" {
  vpc_config {
    endpoint_private_access = true
    endpoint_public_access = false
  }
}%                                                                                                                                                 
❯ trivy conf main.tf -q | grep -E "AVD-AWS-0040|AVD-AWS-0041"

Do you have endpoint_public_access = false specified? Because by default, this attribute is set to true if it is not specified.

[korporationcl]

yeah I have it specified as false (sorry I can't share everything but pretty much):

 vpc_config {
    endpoint_private_access = true
    endpoint_public_access  = false
    security_group_ids      = [aws_security_group.eks_control_plane.id]
    subnet_ids              = var.subnet_ids
  }

[nikpivkin]

Strange. I gave the example above that misfigurations are not detected for such a configuration.