Ensure that all Amazon EKS clusters use the "AmazonEKSClusterPolicy" managed policy to efficiently manage the resources that you use with the EKS service. "AmazonEKSClusterPolicy" is an AWS-managed policy that grants Kubernetes the necessary permissions to handle resources on your behalf. Specifically, Kubernetes needs permission to perform "EC2:CreateTags" operations, enabling it to add identifying information to various EC2 resources such as instances, security groups, and Elastic Network Interfaces (ENIs).
excellence
Implementing the "AmazonEKSClusterPolicy" managed policy for Amazon EKS clusters ensures secure access control, enables essential Kubernetes API operations, facilitates integration with other AWS cloud services, safeguards cluster operations, and provides regular updates from AWS for enhanced security and functionality.
Audit
To determine if your Amazon EKS cluster implement the "AmazonEKSClusterPolicy" policy, perform the following actions:
Remediation / Resolution
To ensure that your Amazon EKS clusters are configured to use the "AmazonEKSClusterPolicy" AWS-managed policy, perform the following actions:
References
- AWS Documentation
- Amazon EKS FAQs
- Amazon EKS clusters
- Amazon EKS cluster IAM role
- AmazonEKSClusterPolicy
- AWS Command Line Interface (CLI) Documentation
- list-clusters
- describe-cluster
- list-attached-role-policies
- attach-role-policy