Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via email to: jtaylortechnologies@gmail.com

Include the following information:

• Type of vulnerability
• Steps to reproduce
• Affected versions
• Potential impact
• Suggested fix (if any)

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix Target: Within 30 days (critical vulnerabilities prioritized)

• We will coordinate disclosure with you
• Credit will be given to the reporter (unless you prefer to remain anonymous)
• We will notify users via GitHub Security Advisories

AWS Credentials:

• Use IAM roles with least privilege
• Never commit AWS credentials to code
• Rotate credentials regularly
• Use AWS SSO or temporary credentials when possible

State Files:

• .rapid-eks/ directory contains sensitive state
• Never commit .rapid-eks/ to version control
• Use remote state with encryption for production
• Restrict access to state files

Cluster Access:

• Rotate kubeconfig credentials regularly
• Use RBAC for fine-grained access control
• Enable audit logging in EKS
• Regularly update cluster to latest Kubernetes version

Network Security:

• Review security group rules before deployment
• Use private API endpoints for production clusters
• Implement network policies in Kubernetes
• Monitor network traffic for anomalies

Code Review:

• All code changes require review
• Security-sensitive changes require additional scrutiny
• Run security scanners before submitting PRs

Dependencies:

• Keep dependencies up to date
• Review dependency changes in PRs
• Use poetry show --outdated regularly
• Monitor for CVEs in dependencies

Secrets Management:

• Never commit secrets to repository
• Use environment variables or AWS Secrets Manager
• Rotate secrets automatically
• Use pre-commit hooks to prevent secret leaks

rapid-eks requires broad IAM permissions to create infrastructure:

• eks:* - EKS cluster management
• ec2:* - VPC and network resources
• iam:* - IRSA role creation
• cloudformation:* - CDK deployments (future)

Mitigation:

• Use a dedicated IAM user/role for rapid-eks
• Implement SCPs (Service Control Policies) to limit blast radius
• Review CloudTrail logs regularly
• Use --dry-run equivalent (terraform plan) before applying

IRSA roles are created with specific trust policies:

• Scoped to specific service accounts
• Scoped to specific namespaces
• Uses OIDC provider for authentication

Review generated IAM policies before deployment.

Terraform state files contain sensitive information:

• Cluster certificates
• IAM role ARNs
• Resource IDs

Mitigation:

• State files are excluded in .gitignore
• Use remote state with encryption for teams
• Restrict access to state files
• Enable versioning on S3 state buckets

Addons use public container images:

• Prometheus, Grafana, Karpenter, ALB Controller
• Images pulled from public registries

Mitigation:

• Pin specific image versions (not latest)
• Use private ECR mirror for production (manual step)
• Scan images for vulnerabilities regularly
• Implement admission controllers to enforce policies

• Watch GitHub releases for security updates
• Subscribe to GitHub Security Advisories
• Monitor AWS EKS security bulletins
• Update clusters regularly

Critical vulnerabilities:

1. Fix developed and tested (0-7 days)
2. Private disclosure to affected users (if identifiable)
3. Public disclosure via GitHub Advisory (7-14 days after fix)
4. Release with fix deployed

Medium/Low vulnerabilities:

1. Fix developed and tested (7-30 days)
2. Public disclosure via GitHub Advisory
3. Release with fix deployed

Security Issues: jtaylortechnologies@gmail.com General Support: https://github.com/jtaylortech/rapid-eks/issues

We thank the security community for responsible disclosure and collaboration.

Last Updated: 2025-10-29 Version: 1.0