Use AWS-managed policy to access Amazon ECR Repositories

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Elastic Kubernetes Service console at https://console.aws.amazon.com/eks/.

03 In the main navigation panel, under Amazon Elastic Kubernetes Service, choose Clusters.

04 Click on the name (link) of the Amazon EKS cluster that you want to examine.

05 Select the Compute tab to access the compute resources provisioned for the selected cluster.

06 Click on the name (link) of the node group that you want to examine.

07 Select the Details tab and click on the ARN (link) of the associated IAM role, listed under Node IAM role ARN to access the IAM role configuration.

08 Select the Permissions tab to access the identity-based policies attached to the selected role.

09 In the Permissions policies section, check the name of each managed policy, listed in the Policy name column to determine the permissions defined for the selected role. To access Amazon ECR repositories, the associated IAM role should use the "AmazonEC2ContainerRegistryReadOnly" policy. If the "AmazonEC2ContainerRegistryReadOnly" policy is not listed in the Permissions policies section, the selected EKS cluster node group can't access the access Amazon ECR repositories, therefore the node group access configuration is not compliant.

10 Repeat steps no. 6 and 9 for each node group provisioned for the selected EKS cluster.

11 Repeat steps no. 4 - 10 for each Amazon EKS cluster available within the current AWS region.

12 Change the AWS cloud region from the top navigation bar and repeat the Audit process for other AWS regions.

01 Run list-clusters command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon EKS cluster available in the selected AWS region:

aws eks list-clusters
  --region us-east-1
  --output table
  --query 'clusters'

02 The command output should return a table with the requested EKS cluster names:

---------------------------
|      ListClusters       |
+-------------------------+
| cc-eks-webapp-cluster   |
| cc-eks-project5-cluster |
+-------------------------+

03 Run list-nodegroups command (OSX/Linux/UNIX) with custom query filters to describe the name of each node group provisioned for the selected Amazon EKS cluster:

aws eks list-nodegroups 
  --region us-east-1 
  --cluster-name cc-eks-webapp-cluster 
  --query 'nodegroups'

04 The command output should return the requested EKS cluster node group names:

[
	"cc-webapp-cluster-node-001",
	"cc-webapp-cluster-node-002"
]

05 Run describe-nodegroup command (OSX/Linux/UNIX) with custom output filtering to describe the ARN of the IAM role associated with the selected EKS cluster node group:

aws eks describe-nodegroup 
  --region us-east-1 
  --cluster-name cc-eks-webapp-cluster 
  --nodegroup-name cc-webapp-cluster-node-001 
  --query 'nodegroup.nodeRole'

06 The command output should return the Amazon Resource Name (ARN) of the associated IAM role:

"arn:aws:iam::123456789012:role/cc-eks-node-role"

07 Run list-attached-role-policies command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Name (ARN) of each managed policy attached to the associated IAM role:

aws iam list-attached-role-policies
  --role-name cc-eks-node-role
  --query 'AttachedPolicies[*].PolicyArn'

08 The command output should return the ARN of each managed policy attached to the selected role:

[
	"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
]

09 Repeat steps no. 5 - 8 for each node group provisioned for the selected EKS cluster.

10 Repeat steps no. 3 - 9 for each Amazon EKS cluster available in the selected AWS region.

11 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other AWS regions.

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Elastic Kubernetes Service console at https://console.aws.amazon.com/eks/.

03 In the main navigation panel, under Amazon Elastic Kubernetes Service, choose Clusters.

04 Click on the name (link) of the Amazon EKS cluster that you want to access.

05 Select the Compute tab to access the compute resources provisioned for the selected cluster.

06 Click on the name (link) of the node group that you want to configure.

07 Select the Details tab and click on the ARN (link) of the associated IAM role, listed under Node IAM role ARN to access the IAM role configuration.

08 Select the Permissions tab to access the identity-based policies attached to the selected role.

09 In the Permissions policies section, select Add permissions, choose Attach policies, select AmazonEC2ContainerRegistryReadOnly from the policies list, and choose Add permissions.

10 Repeat steps no. 6 - 9 for each EKS cluster node group that you want to configure.

11 Repeat steps no. 4 – 10 for each Amazon EKS cluster provisioned within the current AWS region.

12 Change the AWS cloud region from the top navigation bar and repeat the Remediation process for other AWS regions.

01 Run attach-role-policy command (OSX/Linux/UNIX) to attach the AmazonEC2ContainerRegistryReadOnly managed policy (i.e. "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly") to the IAM role associated with your EKS cluster node group (the command does not produce an output):

aws iam attach-role-policy
  --role-name cc-eks-node-role
  --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly

02 Repeat steps no. 1 for each EKS cluster node group that you want to configure.

03 Repeat steps no. 1 and 2 for each Amazon EKS cluster provisioned in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.