EKS Security

EKS Security: 8 Ways to Secure Your Clusters


What Is AWS EKS Security?

Amazon Elastic Kubernetes Service (Amazon EKS) is Amazon’s popular, managed Kubernetes service. It lets you use open-source Kubernetes to orchestrate containerized applications, without the need to install and administer the Kubernetes control plane and infrastructure required for Kubernetes clusters.

Kubernetes security in EKS is the responsibility of both Amazon Web Services (AWS) and the client. This shared responsibility model divides the main security aspects as follows:

  • AWS security – AWS is responsible for the security of the infrastructure that supports AWS services. In Amazon EKS, AWS protects the Kubernetes control plane, including the etcd database and control plane nodes. AWS compliance involves regular testing by third-party auditors to verify security effectiveness.
  • Client-side security – As the client, you are responsible for securing your workloads. This includes ensuring data security, upgrades and patches for worker nodes, and secure configuration for the data plane, nodes, containers, and operating systems. You must also configure security groups that allow the EKS control plane to securely communicate with your virtual private clouds (VPCs).


In this article, you will learn:


4 Built-In EKS Security Features

AWS Identity and Access Management

AWS offers an Identity and Access Management (IAM) service that helps administrators control access to AWS resources, at no extra charge. IAM administrators control who can sign in and who has permissions to use an Amazon EKS resource, based on policies defining access for service administrators and service users.

Service administrators determine which users should have access to each EKS resource. Users are provided credentials they can use for authentication and authorization of Kubernetes resources. Service users should only have access to the features they need to do their job—if they require additional permissions, they should contact the IAM administrator.

Logging and Monitoring

CloudWatch logs store diagnostic and audit logs from the control plane. Each EKS control plane receives its own log group. It is important to monitor these logs to discover security issues and other production issues.

AWS CloudTrail records EKS activity, capturing all API calls made by users, roles, or AWS services, or EKS console requests.


Related content: Read our guide to Kubernetes observability


AWS Secrets Manager

Kubernetes lets you create key/value pairs and deliver them to applications running in pods. If these key/value pairs contain sensitive data, you can use Secret Store, a Container Storage Interface (CSI) driver. The driver is implemented by solutions like AWS Secrets Manager and AWS Parameter Store.

AWS Secrets Manager provides central storage and management for Kubernetes secrets, as well as the AWS Secrets and Configuration Provider (ASCP) plugin, which lets you work with legacy Kubernetes workloads that previously received secrets through etcd. It also lets you use IAM policies to define which pods can access each secret.

Resilience in Amazon EKS

AWS Regions and Availability Zones (AZs) make it possible to run resources redundantly in multiple, physically isolated data centers. This allows you to make AWS workloads fault tolerant, scalable, and highly available.

Amazon EKS operates across multiple AZs, automatically scaling the control plane to ensure high performance. EKS detects and heals malfunctioning control plane instances, and performs automated patches and updates for all control plane components. EKS guarantees a service-level agreement (SLA) uptime of 99.5% for the Kubernetes API Server.

4 Amazon EKS Security Best Practices

Here are best practices that can help you improve EKS security.

Encryption at Rest

AWS offers three storage options for Kubernetes: Amazon Elastic Block Storage (EBS), Amazon Elastic File Storage (EFS), and Amazon FSx for Lustre. All three provide encryption at rest using either service-managed keys or customer master keys (CMKs).

  • For EBS, you can use either the in-tree storage driver or the EBS CSI driver. Both contain parameters for volume encryption and CMK provision.
  • For EFS, you can use the EFS CSI driver, but unlike EBS, it does not support dynamic provisioning. To use EFS with EKS, you need to provision and configure file system encryption at rest before creating a persistent volume (PV).

Use the CIS Benchmark for Secure Configuration

Configure Amazon Elastic Compute Cloud (Amazon EC2) nodes for EKS according to the Center for Internet Security (CIS) Kubernetes Benchmark, which provides community-approved guidance for securely configuring Kubernetes clusters and nodes. The benchmark covers control plane configuration, node security configuration, policies, and managed services. You can run the open-source tool kube-bench to test your clusters for CIS security recommendations.


Related content: Read our guide to recent Kubernetes vulnerabilities


Network Policy

A Kubernetes cluster allows communication between all pods by default. This flexibility may be useful for development and experimentation, but it is not considered secure. Kubernetes network policies provide a mechanism to restrict network traffic between pods (commonly referred to as east-west traffic) and between pods and external services.

Kubernetes network policies work at layers 3 and 4 of the Open Systems Interconnection (OSI) model. They use pod selectors and tags to identify source and destination pods, but can also include IP addresses, port numbers, protocol numbers, or some combination of these.

Calico is Tigera’s open-source policy engine and can be used with EKS. In addition to implementing all Kubernetes network policy features, Calico extends network policies with a richer feature set, including support for layer 7 rules (such as HTTP) with Envoy’s direct integration into Calico’s pluggable data plane.

Deploy Workers Onto Private Subnets

Placing worker nodes in a private subnet reduces your threat surface, because it minimizes exposure to the public internet. In EKS, the allocation of public IP addresses to nodes in a managed node group is controlled by the subnet in which these nodes are deployed (previously, nodes in a Managed Node Group were automatically assigned public IPs). If you choose to deploy your worker nodes in public subnets, implement AWS security group rules to limit their exposure.

EKS Security with Tigera’s Calico Cloud and Calico Enterprise

Calico Enterprise and Calico Cloud provide Kubernetes security, observability, and networking on Amazon EKS, as well as on Amazon EC2 for self-managed Kubernetes.

Calico Enterprise and Calico Cloud offer the following unique features for EKS security:

  • Manage egress access – Kubernetes has no built-in capability to enforce network policy. Calico can securely control egress access to external resources with the following:
    • AWS Security Group integration
    • DNS policy
    • Egress Access Gateway
  • Microsegmentation – Many applications have microsegmentation requirements, such as workload isolation, ensuring developers cannot talk to production, and implementing network zones (for example, microservices in the DMZ can communicate with the public internet but not directly with your backend databases).
  • Enterprise security and compliance – Get data-in-transit encryption with industry-leading performance, as well as compliance reporting for security policies and controls. Leverage an incredibly rich intrusion detection feature set that includes threat feeds to identify known bad actors like bots, custom alerts for known attacks, anomaly detection, and honeypods.
  • Observe and troubleshoot – Detect, identify, and resolve the performance hotspots, anomalies, and connectivity issues between microservices running on EKS clusters.
  • Unified controls – Enable security and observability across multi-cluster, multi-cloud, and hybrid-cloud environments, and provide a single pane of glass to ensure consistent application of security controls across both containers and VMs.
Next steps:

Join our mailing list​

Get updates on blog posts, workshops, certification programs, new releases, and more!