Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Support for Network Policies

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EKS-006

Ensure that your Amazon Elastic Kubernetes Service (EKS) clusters are using network policies to implement secure policy-based access control in order to segment and isolate traffic. AWS provides two add-ons for enforcing network policies: Amazon VPC CNI plugin (default EKS CNI plugin) and Calico, an open-source network security solution founded by Tigera. Enabling support for network policies in Amazon EKS requires installing a CNI plugin that supports them. Merely having the Amazon VPC CNI addon installed is not sufficient — the addon must be explicitly configured with enableNetworkPolicy: true to actually enforce network policies. The network policy feature is disabled by default even when the VPC CNI addon is active.

Security

A network policy is a Kubernetes resource that allows you to control the traffic between pods and services within a cluster. Network policies are useful for enforcing security policies, isolating applications, and debugging network connectivity issues. By default, pods are not isolated, meaning they accept traffic from any source. Isolation is achieved by applying a network policy to select pods. Once a network policy is in place for a namespace, specifying a particular pod, that pod will reject any connections not permitted by the applied network policy.

As an example, this guide demonstrates how to enable support for network policies for EKS clusters with the Amazon VPC CNI plugin (official AWS EKS add-on). The Amazon VPC CNI plugin supports network policies since version 1.14.0.

Audit

To determine if your Amazon EKS clusters are using network policies, perform the following operations:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Elastic Kubernetes Service console available at https://console.aws.amazon.com/eks/.

  3. In the left navigation panel, under Amazon Elastic Kubernetes Service, choose Clusters.

  4. Click on the name (link) of the Amazon EKS cluster that you want to examine.

  5. Select the Add-ons tab to access the list of add-ons installed for the selected cluster.

  6. Click inside the Find add-on search box, type Amazon VPC CNI and press Enter, then choose Active from the Any status dropdown menu to determine if the Amazon VPC CNI add-on is successfully installed for the selected cluster. If no results are returned, instead the following message is displayed: No matches, the VPC CNI plugin is not installed, therefore, the selected Amazon EKS cluster is not configured to use network policies. As a result, the Kubernetes cluster allows all ingress and egress traffic to the pods.

  7. Click on the Amazon VPC CNI add-on name to view its details. Check the Configuration section and verify that the enableNetworkPolicy setting is set to true. If the VPC CNI addon is installed but enableNetworkPolicy is not set to true, the cluster is still not properly configured to enforce network policies.

  8. Repeat steps no. 4 – 7 for each Amazon EKS cluster available within the current AWS region.

  9. Change the AWS cloud region from the top navigation bar and repeat the Audit process for other AWS regions.

Using AWS CLI

  1. Run list-clusters command (OSX/Linux/UNIX) with custom output filters to list the name of each Amazon EKS cluster available in the selected AWS cloud region:

    aws eks list-clusters
	--region us-east-1
	--output table
	--query 'clusters'

  2. The command output should return a table with the requested EKS cluster names:

    ---------------------------
|      ListClusters       |
+-------------------------+
| cc-eks-webapp-cluster   |
| cc-eks-project5-cluster |
+-------------------------+

  3. Run describe-addon command (OSX/Linux/UNIX) with the name of the Amazon EKS cluster that you want to examine as the identifier parameter and custom output filters to determine if the Amazon VPC CNI add-on is successfully installed for the selected EKS cluster:

    aws eks describe-addon
	--cluster-name cc-eks-webapp-cluster
	--addon-name vpc-cni
	--query "addon.status"
	--output text

  4. The command output should return the operational status of the VPC CNI plugin (e.g., ACTIVE for a successfully installed plugin). If the addon is not installed, the command output will return an error:

    An error occurred (ResourceNotFoundException) when calling the DescribeAddon operation: No addon: vpc-cni found in cluster: cc-eks-webapp-cluster

  5. Run describe-addon command (OSX/Linux/UNIX) with custom output filters to check the configuration values of the Amazon VPC CNI add-on for the selected EKS cluster:

    aws eks describe-addon
	--cluster-name cc-eks-webapp-cluster
	--addon-name vpc-cni
	--query "addon.configurationValues"
	--output text

  6. The command output should return the addon configuration including enableNetworkPolicy: true. If the output is empty, returns None, or does not contain enableNetworkPolicy set to true, the network policy feature is not enabled on the selected Amazon EKS cluster.

  7. Repeat steps no. 3 – 6 for each Amazon EKS cluster available in the selected AWS region.

  8. Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other AWS regions.

Remediation / Resolution

To allow for secure network policies on your Amazon Elastic Kubernetes Service (EKS) clusters, you need to enable the Amazon VPC CNI plugin at the cluster level. To update your EKS cluster configuration, perform the following operations:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Elastic Kubernetes Service console available at https://console.aws.amazon.com/eks/.

  3. In the left navigation panel, under Amazon Elastic Kubernetes Service, choose Clusters.

  4. Click on the name (link) of the Amazon EKS cluster that you want to configure.

  5. Select the Add-ons tab, choose Get more add-ons, and perform the following actions to install the Amazon VPC CNI plugin:

    1. For Step 1 Select add-ons, select Amazon VPC CNI from the AWS add-ons section. Choose Next to continue the plugin setup.
    2. For Step 2 Configure selected add-ons settings, provide the following information:
      1. For Version, ensure that the latest version of the Amazon VPC CNI plugin is selected.
      2. For Add-on access, select the preferred access method and choose an IAM role to use with the plugin.
      3. For Optional configuration settings, enter the following JSON configuration to enable network policies: 
        	{"enableNetworkPolicy": "true"}
      4. Choose Next to continue the setup.
    3. For Step 3 Review and add, review the plugin configuration details, then choose Create to install the Amazon VPC CNI plugin. The process should take a few minutes to complete.

  6. Note: For existing VPC CNI addons that are already installed but don't have network policies enabled, navigate to the addon, choose Edit, and add the configuration {"enableNetworkPolicy": "true"} under Optional configuration settings.

  7. Repeat steps no. 4 – 6 for each Amazon EKS cluster that you want to configure, available within the current AWS region.

  8. Change the AWS cloud region from the top navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

  1. Run describe-addon-versions command (OSX/Linux/UNIX) with custom output filtering to describe the Amazon VPC CNI plugin versions supported by the specified Kubernetes version:

    aws eks describe-addon-versions
	--kubernetes-version 1.32
	--addon-name vpc-cni
	--query "addons[].addonVersions[].addonVersion"

  2. The command output should return the supported plugin versions:

    [
	"v1.20.1-eksbuild.3",
	"v1.20.1-eksbuild.1",
	"v1.20.0-eksbuild.1",
	"v1.19.6-eksbuild.7",
	"v1.19.6-eksbuild.1",
	"v1.19.5-eksbuild.3",
	"v1.19.5-eksbuild.1",
	"v1.19.4-eksbuild.1",
	"v1.19.3-eksbuild.1",
	"v1.19.2-eksbuild.5",
	"v1.19.2-eksbuild.1",
	"v1.19.0-eksbuild.1",
	"v1.18.6-eksbuild.1",
	"v1.18.5-eksbuild.1",
	"v1.18.4-eksbuild.1",
	"v1.18.3-eksbuild.3",
	"v1.18.3-eksbuild.2",
	"v1.18.3-eksbuild.1",
	"v1.18.2-eksbuild.1",
	"v1.18.1-eksbuild.3",
	"v1.18.1-eksbuild.1",
	"v1.18.0-eksbuild.1",
	"v1.17.1-eksbuild.1"
]

  3. Run create-addon command (Windows/macOS/Linux) to install the Amazon VPC CNI plugin (i.e., vpc-cni) on the selected EKS cluster. For --service-account-role-arn, specify the IAM role to use with the plugin. This role will bind to the add-on's service account and must have the IAM permissions required by the Amazon VPC CNI add-on. If you don't specify an IAM role, the add-on uses the permissions assigned to the node IAM role:

    aws eks create-addon
	--cluster-name cc-eks-webapp-cluster
	--addon-name vpc-cni
	--addon-version v1.20.1-eksbuild.3
	--service-account-role-arn arn:aws:iam::123456789012:role/cc-eks-iam-role

  4. The command output should return the configuration information available for the installed plugin:

    {
	"addon": {
		"addonName": "vpc-cni",
		"clusterName": "cc-eks-webapp-cluster",
		"status": "CREATING",
		"addonVersion": "v1.20.1-eksbuild.3",
		"health": {
			"issues": []
		},
		"addonArn": "arn:aws:eks:us-east-1:123456789012:addon/cc-eks-webapp-cluster/vpc-cni/abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"createdAt": "2025-08-26T08:19:44.834000+00:00",
		"modifiedAt": "2025-08-26T08:19:44.851000+00:00",
		"serviceAccountRoleArn": "arn:aws:iam::123456789012:role/cc-eks-iam-role",
		"tags": {},
		"namespaceConfig": {
			"namespace": "kube-system"
		}
	}
}

  5. Run update-addon command (OSX/Linux/UNIX) to enable network policies on an existing Amazon VPC CNI add-on that is already installed but does not have network policies enabled:

    aws eks update-addon
	--cluster-name cc-eks-webapp-cluster
	--addon-name vpc-cni
	--configuration-values '{"enableNetworkPolicy":"true"}'

  6. The command output should return the update status information:

    {
	"update": {
		"id": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"status": "InProgress",
		"type": "AddonUpdate"
	}
}

  7. Run describe-addon command (OSX/Linux/UNIX) to verify that the network policy feature has been successfully enabled:

    aws eks describe-addon
	--cluster-name cc-eks-webapp-cluster
	--addon-name vpc-cni
	--query "addon.{status:status,configurationValues:configurationValues}"

  8. The command output should confirm the addon status and configuration values:

    {
	"status": "ACTIVE",
	"configurationValues": "{\"enableNetworkPolicy\":\"true\"}"
}

  9. Repeat steps no. 1 - 8 for each Amazon EKS cluster that you want to configure, available in the selected AWS region.

  10. Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date Sep 2, 2025

Related EKS rules