Ensure that all Amazon EKS cluster node groups use the "AmazonEKS_CNI_Policy" managed policy to manage cloud networking resources effectively.
excellence
"AmazonEKS_CNI_Policy" is an AWS-managed policy that provides the necessary permissions to the Amazon VPC CNI Plugin (amazon-vpc-cni-k8s) so that it can effectively modify the IP address configuration on your EKS worker nodes. This policy allows the CNI to perform essential tasks such as listing, describing, and modifying Elastic Network Interfaces (ENIs) on behalf of the cluster, ensuring proper networking functionality and communication within the Amazon EKS environment.
Audit
To determine if your EKS cluster node groups implement the "AmazonEKS_CNI_Policy" policy, perform the following operations:
Remediation / Resolution
To ensure that your EKS cluster node groups are configured to use the "AmazonEKS_CNI_Policy" managed policy to manage cloud networking resources, perform the following operations:
References
- AWS Documentation
- Amazon EKS FAQs
- Amazon EKS clusters
- Creating a managed node group
- Configuring the Amazon VPC CNI plugin for Kubernetes to use IAM roles for service accounts
- AmazonEKS_CNI_Policy
- AWS Command Line Interface (CLI) Documentation
- list-clusters
- list-nodegroups
- describe-nodegroup
- list-attached-role-policies
- attach-role-policy