Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Support for Network Policies

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Amazon Elastic Kubernetes Service (EKS) clusters are using network policies to implement secure policy-based access control in order to segment and isolate traffic. AWS provides two add-ons for enforcing network policies: Amazon VPC CNI plugin (default EKS CNI plugin) and Calico, an open-source network security solution founded by Tigera. Enabling support for network policies in Amazon EKS requires installing a CNI plugin that supports them.

Security

A network policy is a Kubernetes resource that allows you to control the traffic between pods and services within a cluster. Network policies are useful for enforcing security policies, isolating applications, and debugging network connectivity issues. By default, pods are not isolated, meaning they accept traffic from any source. Isolation is achieved by applying a network policy to select pods. Once a network policy is in place for a namespace, specifying a particular pod, that pod will reject any connections not permitted by the applied network policy.

As an example, this guide demonstrates how to enable support for network policies for EKS clusters with the Amazon VPC CNI plugin (official AWS EKS add-on). The Amazon VPC CNI plugin supports network policies since version 1.14.0.

Audit

To determine if your Amazon EKS clusters are using network policies, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Elastic Kubernetes Service console available at https://console.aws.amazon.com/eks/.

03 In the left navigation panel, under Amazon Elastic Kubernetes Service, choose Clusters.

04 Click on the name (link) of the Amazon EKS cluster that you want to examine.

05 Select the Add-ons tab to access the list of add-ons installed for the selected cluster.

06 Click inside the Find add-on search box, type Amazon VPC CNI and press Enter, then choose Active from the Any status dropdown menu to determine if the Amazon VPC CNI add-on is successfully installed for the selected cluster. If no results are returned, instead the following message is displayed: No matches, the VPC CNI plugin is not installed, therefore, the selected Amazon EKS cluster is not configured to use network policies. As a result, the Kubernetes cluster allows all ingress and egress traffic to the pods.

07 Repeat steps no. 4 – 6 for each Amazon EKS cluster available within the current AWS region.

08 Change the AWS cloud region from the top navigation bar and repeat the Audit process for other AWS regions.

Using AWS CLI

01 Run list-clusters command (OSX/Linux/UNIX) with custom output filters to list the name of each Amazon EKS cluster available in the selected AWS cloud region: 

aws eks list-clusters
	--region us-east-1
	--output table
	--query 'clusters'

02 The command output should return a table with the requested EKS cluster names: 

---------------------------
|      ListClusters       |
+-------------------------+
| cc-eks-webapp-cluster   |
| cc-eks-project5-cluster |
+-------------------------+

03 Run describe-addon command (OSX/Linux/UNIX) with the name of the Amazon EKS cluster that you want to examine as the identifier parameter and custom output filters to determine if the Amazon VPC CNI add-on is successfully installed for the selected EKS cluster: 

aws eks describe-addon
	--cluster-name cc-eks-webapp-cluster
	--addon-name vpc-cni
	--query "addon.status"
	--output text

04 The command output should return the operational status of the VPC CNI plugin (e.g., ACTIVE for a successfully installed plugin): 

An error occurred (ResourceNotFoundException) when calling the DescribeAddon operation: No addon: vpc-cni found in cluster: cc-eks-webapp-cluster

05 Repeat steps no. 3 and 4 for each Amazon EKS cluster available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other AWS regions.

Remediation / Resolution

To allow for secure network policies on your Amazon Elastic Kubernetes Service (EKS) clusters, you need to enable the Amazon VPC CNI plugin at the cluster level. To update your EKS cluster configuration, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Elastic Kubernetes Service console available at https://console.aws.amazon.com/eks/.

03 In the left navigation panel, under Amazon Elastic Kubernetes Service, choose Clusters.

04 Click on the name (link) of the Amazon EKS cluster that you want to configure.

05 Select the Add-ons tab, choose Get more add-ons, and perform the following actions to install the Amazon VPC CNI plugin:

  1. For Step 1 Select add-ons, select Amazon VPC CNI from the AWS add-ons section. Choose Next to continue the plugin setup.
  2. For Step 2 Configure selected add-ons settings, provide the following information:
    1. For Version, ensure that the latest version of the Amazon VPC CNI plugin is selected.
    2. For Add-on access, select the preferred access method and choose an IAM role to use with the plugin.
    3. (Optional) For Optional configuration settings, specify any additional JSON or YAML configuration settings that you want to apply to the add-on.
    4. Choose Next to continue the setup.
  3. For Step 3 Review and add, review the plugin configuration details, then choose Create to install the Amazon VPC CNI plugin. The process should take a few minutes to complete.

06 Repeat steps no. 4 and 5 for each Amazon EKS cluster that you want to configure, available within the current AWS region.

07 Change the AWS cloud region from the top navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Run describe-addon-versions command (OSX/Linux/UNIX) with custom output filtering to describe the Amazon VPC CNI plugin versions supported by the specified Kubernetes version: 

aws eks describe-addon-versions
	--kubernetes-version 1.32
	--addon-name vpc-cni
	--query "addons[].addonVersions[].addonVersion"

02 The command output should return the supported plugin versions: 

[
	"v1.20.1-eksbuild.3",
	"v1.20.1-eksbuild.1",
	"v1.20.0-eksbuild.1",
	"v1.19.6-eksbuild.7",
	"v1.19.6-eksbuild.1",
	"v1.19.5-eksbuild.3",
	"v1.19.5-eksbuild.1",
	"v1.19.4-eksbuild.1",
	"v1.19.3-eksbuild.1",
	"v1.19.2-eksbuild.5",
	"v1.19.2-eksbuild.1",
	"v1.19.0-eksbuild.1",
	"v1.18.6-eksbuild.1",
	"v1.18.5-eksbuild.1",
	"v1.18.4-eksbuild.1",
	"v1.18.3-eksbuild.3",
	"v1.18.3-eksbuild.2",
	"v1.18.3-eksbuild.1",
	"v1.18.2-eksbuild.1",
	"v1.18.1-eksbuild.3",
	"v1.18.1-eksbuild.1",
	"v1.18.0-eksbuild.1",
	"v1.17.1-eksbuild.1"
]

03 Run create-addon command (Windows/macOS/Linux) to install the Amazon VPC CNI plugin (i.e., vpc-cni) on the selected EKS cluster. For --service-account-role-arn, specify the IAM role to use with the plugin. This role will bind to the add-on's service account and must have the IAM permissions required by the Amazon VPC CNI add-on. If you don't specify an IAM role, the add-on uses the permissions assigned to the node IAM role: 

aws eks create-addon
	--cluster-name cc-eks-webapp-cluster
	--addon-name vpc-cni
	--addon-version v1.20.1-eksbuild.3
	--service-account-role-arn arn:aws:iam::123456789012:role/cc-eks-iam-role

04 The command output should return the configuration information available for the installed plugin: 

{
	"addon": {
		"addonName": "vpc-cni",
		"clusterName": "cc-eks-webapp-cluster",
		"status": "CREATING",
		"addonVersion": "v1.20.1-eksbuild.3",
		"health": {
			"issues": []
		},
		"addonArn": "arn:aws:eks:us-east-1:123456789012:addon/cc-eks-webapp-cluster/vpc-cni/abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"createdAt": "2025-08-26T08:19:44.834000+00:00",
		"modifiedAt": "2025-08-26T08:19:44.851000+00:00",
		"serviceAccountRoleArn": "arn:aws:iam::123456789012:role/cc-eks-iam-role",
		"tags": {},
		"namespaceConfig": {
			"namespace": "kube-system"
		}
	}
}

05 Repeat steps no. 1 - 4 for each Amazon EKS cluster that you want to configure, available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date Sep 2, 2025

Related EKS rules