Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Cluster Access Management API

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: EKS-005

Streamline and enhance cluster access control by exclusively enabling the Cluster Access Management API for your Amazon EKS clusters. This API simplifies, secures, and scales Amazon EKS access, replacing the error-prone "aws-auth" configMap method.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

The Cluster Access Management API for Amazon EKS is replacing the traditional "aws-auth" configuration map by streamlining the integration of AWS IAM identities with Kubernetes Role-Based Access Controls (RBAC), offering granular, centralized authentication and authorization for teams and users. This reduces operational overhead and enables adherence to the Principle of Least Privilege (POLP).

Audit

To determine whether the Cluster Access Management API is the only authentication method configured for your Amazon EKS clusters, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Elastic Kubernetes Service console available at https://console.aws.amazon.com/eks/.

03 In the left navigation panel, under Amazon Elastic Kubernetes Service, choose Clusters.

04 Click on the name (link) of the Amazon EKS cluster that you want to examine, listed in the Cluster name column.

05 Select the Access tab to view the access control settings available for the selected cluster.

06 In the Access configuration section, check the Authentication mode configuration attribute value. If the Authentication mode attribute value is not set to EKS API, the Cluster Access Management API is not the only authentication method configured for the selected Amazon EKS cluster. As a result, combining the Cluster Access Management API with other methods creates conflicting and complex authentication, leading to unpredictable behavior and difficult troubleshooting.

07 Repeat steps no. 4 - 6 for each Amazon EKS cluster available within the current AWS region.

08 Change the AWS cloud region from the top navigation bar and repeat the Audit process for other AWS regions.

Using AWS CLI

01 Run list-clusters command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon EKS cluster available in the selected AWS region: 

aws eks list-clusters
	--region us-east-1
	--output table
	--query 'clusters'

02 The command output should return a table with the requested EKS cluster identifiers (names): 

-----------------------------
|       ListClusters        |
+---------------------------+
|  cc-project5-eks-cluster  |
|  cc-eks-kube-app-stack    |
+---------------------------+

03 Run describe-cluster command (OSX/Linux/UNIX) with the name of the Amazon EKS cluster that you want to examine as the identifier parameter and custom output filters to describe the authentication mode(s) configured for the selected EKS cluster: 

aws eks describe-cluster
	--name cc-project5-eks-cluster
	--query "cluster.accessConfig.authenticationMode"

04 The command output should return the authentication method(s) configured for the specified cluster. When "authenticationMode" is set to "API_AND_CONFIG_MAP", both access control methods are enabled and the cluster will source authenticated IAM principals from both Amazon EKS access entry APIs and the "aws-auth" configMap. When "authenticationMode" is set to "API", the Cluster Access Management API is the only authentication method used for the selected EKS cluster (recommended): 

"API_AND_CONFIG_MAP"

If the describe-cluster command output returns "API_AND_CONFIG_MAP", as shown in the output example above, the Cluster Access Management API is not the only authentication method configured for the selected Amazon EKS cluster. Therefore, combining the Cluster Access Management API with other methods creates conflicting and complex authentication, leading to unpredictable behavior and difficult troubleshooting.

05 Repeat steps no. 3 and 4 for each Amazon EKS cluster provisioned in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To ensure that your Amazon EKS clusters are exclusively using the Cluster Access Management API for authentication, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Elastic Kubernetes Service console available at https://console.aws.amazon.com/eks/.

03 In the left navigation panel, under Amazon Elastic Kubernetes Service, choose Clusters.

04 Click on the name (link) of the Amazon EKS cluster that you want to configure, listed in the Cluster name column.

05 Select the Access tab to view the access control settings available for the selected cluster.

06 In the Access configuration section, choose Manage access to change the access configuration for your Amazon EKS cluster.

07 In the Cluster access section, set Cluster authentication mode to EKS API to ensure that the selected cluster is exclusively using the Cluster Access Management API for authentication. Choose Save changes to apply the configuration changes. From now on, the cluster will source authenticated IAM principals only from EKS access entry APIs.

08 (Optional) Wait for the status of the modified cluster to return to Active. In the IAM access entries section, choose Create access entry to add access to the selected cluster for IAM principals based on your access requirements.

09 Repeat steps no. 5 - 8 for each Amazon EKS cluster provisioned within the current AWS region.

10 Change the AWS cloud region from the top navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Run update-cluster-config command (OSX/Linux/UNIX) with the name of the Amazon EKS cluster that you want to configure as the identifier parameter, to exclusively enable the Cluster Access Management API for the selected EKS cluster. Once the access control configuration is updated, the cluster will source authenticated IAM principals only from EKS access entry APIs: 

aws eks update-cluster-config
	--region us-east-1
	--name cc-project5-eks-cluster
	--access-config authenticationMode=API

02 The command output should return information about the new authentication method configured for the specified cluster: 

{
	"update": {
		"id": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"status": "InProgress",
		"type": "AccessConfigUpdate",
		"params": [
			{
				"type": "AuthenticationMode",
				"value": "\"API\""
			}
		],
		"createdAt": "2025-07-22T12:00:04.572000+00:00",
		"errors": []
	}
}

03 (Optional) Wait for the status of the modified cluster to return to "Active" and run create-access-entry command (OSX/Linux/UNIX) to add access to the selected cluster for IAM principals based on your access requirements. As an example, the following command creates access entry for a self-managed Amazon EC2 Linux node group: 

aws eks create-access-entry
	--cluster-name cc-project5-eks-cluster
	--principal-arn arn:aws:iam::123456789012:role/cc-self-managed-ng-role
	--type EC2_LINUX

04 The command output should return the information available for the new access entry: 

{
	"accessEntry": {
		"clusterName": "cc-project5-eks-cluster",
		"principalArn": "arn:aws:iam::123456789012:role/cc-self-managed-ng-role",
		"kubernetesGroups": [
			"system:nodes"
		],
		"accessEntryArn": "arn:aws:eks:us-east-1:123456789012:access-entry/cc-project5-eks-cluster/role/123456789012/cc-self-managed-ng-role/abcd1234-abcd-1234-abcd-1234abcd1234",
		"createdAt": "2025-07-22T12:00:00.789000+00:00",
		"modifiedAt": "2025-07-22T12:00:00.789000+00:00",
		"tags": {},
		"username": "system:node:",
		"type": "EC2_LINUX"
	}
}

05 Repeat steps no. 1 – 4 for each Amazon EKS cluster available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Jul 23, 2025

Related EKS rules