⌂ Home

Amazon EKS Security

Harden the shared responsibility split for Kubernetes on AWS.

EKS architecture

AWS-managed control plane (API server, etcd, scheduler) Private endpoint optional · IAM auth · audit logs Customer data plane — worker nodes / Fargate Pods IRSA tokens CNI / NP Add-ons

Security best practices

Private endpoint — Restrict API access to your networks; pair with VPN or PrivateLink patterns.
Encryption — etcd encryption with KMS; secrets backed by KMS providers where applicable.
Pod security — Pod Security Standards / admission: non-root, read-only root FS, drop caps.
Network policies — Default deny egress/ingress where possible; explicit allow lists.
IRSA — IAM Roles for Service Accounts; short-lived creds per workload.

Certificate signing flow (simplified)

CSR in clustercontroller / signersigned cert to Node/Pod

Use managed signing integrations appropriate to your Kubernetes version; audit unusual CSR approvals.

Service account → IAM mapping

K8s SA
namespace + SA name
annotation: role ARN
AWS STS
AssumeRoleWithWebIdentity
scoped session policy