Recommendation to create an EKS cluster with a dedicated IAM role

[mkandelaars]

Is your idea request related to a problem that you've solved? Please describe.
The IAM user / role that creates an EKS cluster always has admin access. User management to the cluster is configured through the aws-auth ConfigMap, however this user/role is not present in this file.  Unless access to this user/role is protected and monitored, this can be used to gain privileged access to the cluster.

Describe the best practice
A good solution to this problem is to create a custom IAM Role that is exclusively used to create the EKS cluster. Controls can be put in place to control who can assume this role.Additionally, once the cluster's aws-auth ConfigMap has been configured and additional users have been granted access, for extra protection this role can be deleted, provided that it can be recreated with the same ARN. This ensures that this backdoor entry to the cluster does not remain, but that it can be later recreated to gain access in an emergency / break glass situation. Recreating the role gives an additional audit trail, which is especially useful for controlling user access to production clusters that do not usually have direct user access configured.

Describe alternatives you've considered
Other alternatives would also exist if this initial root access could be configured, but this is not currently supported by EKS.For an additional security control when this root role is recreated, an automated function could delete the role after an hour of it being created to ensure access to production clusters is automatically revoked after a period of time.

PR incoming with suggested wording

[jicowan]

@mkandelaars Thanks for contributing this best practice. I definitely want to add this to the guide. Can you look at the feedback I left?

[DanyC97]

@jicowan i think this issue can be closed right ?

btw awesome content