Skip to content

EKS Security Best Practices Checklist

Jump to bottom
0xffccdd edited this page Mar 14, 2022 · 1 revision

There are a number of best practices that can be followed when using EKS in order to improve security. One of the most important is to use IAM roles to control access to resources. This can help to ensure that only authorized users have access to the resources they need. In addition, it is important to use strong passwords and to keep them confidential.

You can get a playbook on how to respond to security incidents in Kubernetes environments here.

Another best practice is to use security groups to control access to resources. Security groups can be used to allow or deny access to certain ports, IP addresses, or other resources. This can help to ensure that only authorized users are able to access the resources they need.

It is also important to keep EKS up to date with the latest security patches. This can help to ensure that any vulnerabilities are addressed and that your cluster is as secure as possible.

Finally, it is important to regularly audit your EKS resources to ensure that they are still secure. This can help to identify any potential vulnerabilities and to take corrective action.

Using IAM to secure your EKS Cluster

IAM is a critical part of securing your EKS cluster. In this blog post, we will discuss how to use IAM to secure your EKS cluster.

First, we will discuss the different roles that you can use in IAM to secure your EKS cluster. Next, we will discuss how to create an IAM role for your EKS cluster. Finally, we will discuss how to use IAM to secure your EKS cluster.

Role Types

There are three different types of roles that you can use in IAM to secure your EKS cluster:

  1. Administrator role - The Administrator role has full access to all resources in your AWS account. This role should only be used by trusted individuals who are responsible for managing your AWS account.

  2. Service role - The Service role has access to specific resources in your AWS account. This role should be used by services that need access to specific resources in your AWS account.

  3. Detailed permissions role - The Detailed permissions role allows you to specify the specific permissions that the role should have. This role should be used when you need more granular control over the permissions that the role has.

Creating an IAM Role for Your EKS Cluster

To create an IAM role for your EKS cluster, you need to specify the following information:

  1. Role name - The role name is the name of the role.

  2. Role description - The role description is a brief description of the role.

  3. Principal - The principal is the entity that will assume the role.

  4. Policy - The policy is the policy that will be applied to the role.

  5. Role type - The role type is the type of role that you want to create.

  6. AWS account ID - The AWS account ID is the ID of the AWS account that the role will be associated with.

The following screenshot shows an example of how to create an IAM role for your EKS cluster:

In the screenshot, we are creating an IAM role for an EKS cluster. We are specifying the following information:

  1. Role name - The role name is "eks-role."

  2. Role description - The role description is "Role for accessing an EKS cluster."

  3. Principal - The principal is "eks-cluster."

  4. Policy - The policy is "eks-policy."

  5. Role type - The role type is "Service role."

  6. AWS account ID - The AWS account ID is "123456789012."

The following screenshot shows the policy that will be applied to the role:

In the screenshot, we are specifying the following information:

  1. Policy name - The policy name is "eks-policy."

  2. Policy document - The policy document is " {

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"eks:CreateCluster"

],

"Resource": [

"arn:aws:eks:us-east-1:123456789012:cluster/eks-cluster"

]

}

]

} "

This policy allows the eks-cluster principal to create an EKS cluster in the us-east-1 region.

Use Security Groups for Pods

Security Groups for Pods in Kubernetes allow you to control which pods can communicate with each other. You can use Security Groups to restrict access to certain pods or to certain ports on pods. Security Groups are based on Kubernetes Namespaces, so you need to create a Security Group for each Namespace.

To create a Security Group, you need to specify the following information:

The name of the Security Group

The list of pods that are allowed to communicate with each other

The list of ports on pods that are allowed to be accessed

The Security Group can be used to allow or deny communication between pods. The following example shows how to allow communication between pods in the default namespace:

apiVersion: networking.k8s.io/v1 kind: SecurityGroup metadata: name: default-sg spec: podSelector: matchLabels: name: my-pod ports:

  • port: 80 protocol: TCP

This Security Group will allow communication between the pod "my-pod" and any other pod in the default namespace that has the label "name: my-pod". The Security Group will also allow access to port 80 on any pod that has the label "name: my-pod".

Clone this wiki locally