Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use AWS-managed policy to manage AWS resources

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that all Amazon EKS clusters use the "AmazonEKSClusterPolicy" managed policy to efficiently manage the resources that you use with the EKS service. "AmazonEKSClusterPolicy" is an AWS-managed policy that grants Kubernetes the necessary permissions to handle resources on your behalf. Specifically, Kubernetes needs permission to perform "EC2:CreateTags" operations, enabling it to add identifying information to various EC2 resources such as instances, security groups, and Elastic Network Interfaces (ENIs).

Security
Operational
excellence

Implementing the "AmazonEKSClusterPolicy" managed policy for Amazon EKS clusters ensures secure access control, enables essential Kubernetes API operations, facilitates integration with other AWS cloud services, safeguards cluster operations, and provides regular updates from AWS for enhanced security and functionality.


Audit

To determine if your Amazon EKS cluster implement the "AmazonEKSClusterPolicy" policy, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Elastic Kubernetes Service console at https://console.aws.amazon.com/eks/.

03 In the main navigation panel, under Amazon Elastic Kubernetes Service, choose Clusters.

04 Click on the name (link) of the Amazon EKS cluster that you want to examine.

05 Select the Overview tab and click on the ARN (link) of the associated IAM role, listed under Cluster IAM role ARN to access the IAM role configuration.

06 Select the Permissions tab to access the identity-based policies attached to the selected role.

07 In the Permissions policies section, check the name of each managed policy, listed in the Policy name column to determine the permissions defined for the selected role. To manage the cloud resources that you use with the EKS service, the associated IAM role should use the "AmazonEKSClusterPolicy" policy. If the "AmazonEKSClusterPolicy" policy is not listed in the Permissions policies section, the IAM access configuration available for the selected Amazon EKS cluster is not compliant.

08 Repeat steps no. 4 - 8 for each Amazon EKS cluster available within the current AWS region.

09 Change the AWS cloud region from the top navigation bar and repeat the Audit process for other AWS regions.

Using AWS CLI

01 Run list-clusters command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon EKS cluster available in the selected AWS region:

aws eks list-clusters
  --region us-east-1
  --output table
  --query 'clusters'

02 The command output should return a table with the requested EKS cluster names:

---------------------------
|      ListClusters       |
+-------------------------+
| cc-eks-webapp-cluster   |
| cc-eks-project5-cluster |
+-------------------------+

03 Run describe-cluster command (OSX/Linux/UNIX) with custom output filtering to describe the ARN of the IAM role associated with the selected Amazon EKS cluster:

aws eks describe-cluster 
  --region us-east-1 
  --cluster-name cc-eks-webapp-cluster 
  --query 'cluster.roleArn'

04 The command output should return the Amazon Resource Name (ARN) of the associated IAM role:

"arn:aws:iam::123456789012:role/eksClusterRole"

05 Run list-attached-role-policies command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Name (ARN) of each managed policy attached to the associated IAM role:

aws iam list-attached-role-policies
  --role-name eksClusterRole
  --query 'AttachedPolicies[*].PolicyArn'

06 The command output should return the ARN of each managed policy attached to the selected role:

[
	"arn:aws:iam::aws:policy/AdministratorAccess",
	"arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
]

If the list of managed policies returned by the list-attached-role-policies command output does not include the following ARN: "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy" (i.e. "AmazonEKSClusterPolicy" policy), the IAM access configuration available for the selected Amazon EKS cluster is not compliant.

07 Repeat steps no. 3 - 6 for each Amazon EKS cluster available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other AWS regions.

Remediation / Resolution

To ensure that your Amazon EKS clusters are configured to use the "AmazonEKSClusterPolicy" AWS-managed policy, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Elastic Kubernetes Service console at https://console.aws.amazon.com/eks/.

03 In the main navigation panel, under Amazon Elastic Kubernetes Service, choose Clusters.

04 Click on the name (link) of the Amazon EKS cluster that you want to configure.

05 Select the Overview tab and click on the ARN (link) of the associated IAM role, listed under Cluster IAM role ARN to access the IAM role configuration.

06 Select the Permissions tab to access the identity-based policies attached to the selected role.

07 In the Permissions policies section, select Add permissions, choose Attach policies, select AmazonEKSClusterPolicy from the policies list, and choose Add permissions.

08 Repeat steps no. 4 – 7 for each Amazon EKS cluster provisioned within the current AWS region.

09 Change the AWS cloud region from the top navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Run attach-role-policy command (OSX/Linux/UNIX) to attach the AmazonEKSClusterPolicy managed policy (i.e. "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy") to the IAM role associated with your Amazon EKS cluster (the command does not produce an output):

aws iam attach-role-policy
  --role-name eksClusterRole
  --policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy

02 Repeat step no. 1 for each Amazon EKS cluster provisioned in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date Jul 12, 2023