You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your idea request related to a problem that you've solved? Please describe.
The IAM user / role that creates an EKS cluster always has admin access. User management to the cluster is configured through the aws-auth ConfigMap, however this user/role is not present in this file. Unless access to this user/role is protected and monitored, this can be used to gain privileged access to the cluster.
Describe the best practice
A good solution to this problem is to create a custom IAM Role that is exclusively used to create the EKS cluster. Controls can be put in place to control who can assume this role.Additionally, once the cluster's aws-auth ConfigMap has been configured and additional users have been granted access, for extra protection this role can be deleted, provided that it can be recreated with the same ARN. This ensures that this backdoor entry to the cluster does not remain, but that it can be later recreated to gain access in an emergency / break glass situation. Recreating the role gives an additional audit trail, which is especially useful for controlling user access to production clusters that do not usually have direct user access configured.
Describe alternatives you've considered
Other alternatives would also exist if this initial root access could be configured, but this is not currently supported by EKS.For an additional security control when this root role is recreated, an automated function could delete the role after an hour of it being created to ensure access to production clusters is automatically revoked after a period of time.
PR incoming with suggested wording
The text was updated successfully, but these errors were encountered:
Is your idea request related to a problem that you've solved? Please describe.
The IAM user / role that creates an EKS cluster always has admin access. User management to the cluster is configured through the
aws-auth
ConfigMap, however this user/role is not present in this file. Unless access to this user/role is protected and monitored, this can be used to gain privileged access to the cluster.Describe the best practice
A good solution to this problem is to create a custom IAM Role that is exclusively used to create the EKS cluster. Controls can be put in place to control who can assume this role.Additionally, once the cluster's
aws-auth
ConfigMap has been configured and additional users have been granted access, for extra protection this role can be deleted, provided that it can be recreated with the same ARN. This ensures that this backdoor entry to the cluster does not remain, but that it can be later recreated to gain access in an emergency / break glass situation. Recreating the role gives an additional audit trail, which is especially useful for controlling user access to production clusters that do not usually have direct user access configured.Describe alternatives you've considered
Other alternatives would also exist if this initial root access could be configured, but this is not currently supported by EKS.For an additional security control when this root role is recreated, an automated function could delete the role after an hour of it being created to ensure access to production clusters is automatically revoked after a period of time.
PR incoming with suggested wording
The text was updated successfully, but these errors were encountered: