Amazon EKS Security Architecture

Amazon EKS Security Architecture

Amazon EKS provides deep integration with AWS security services, enabling sophisticated security architectures. The EKS control plane runs in AWS-managed infrastructure with automatic security patches and encrypted etcd storage. Integration with AWS Identity and Access Management (IAM) enables strong authentication, while VPC isolation provides network security foundations.

IAM Roles for Service Accounts (IRSA) represents a powerful EKS security feature, enabling fine-grained AWS permissions for Kubernetes workloads. Rather than using long-lived credentials or instance profiles with broad permissions, IRSA provides temporary, scoped credentials to specific pods. This integration eliminates credential management overhead while following least-privilege principles.

# EKS cluster with security best practices
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
  name: production-cluster
  region: us-east-1
  version: "1.28"

vpc:
  id: vpc-abc123def456
  subnets:
    private:
      us-east-1a: { id: subnet-private-1a }
      us-east-1b: { id: subnet-private-1b }
      us-east-1c: { id: subnet-private-1c }
  clusterEndpoints:
    publicAccess: false
    privateAccess: true

# KMS encryption for secrets
secretsEncryption:
  keyARN: "arn:aws:kms:us-east-1:123456789012:key/abcd-efgh-ijkl"

# Enable control plane logging
cloudWatch:
  clusterLogging:
    enableTypes:
    - api
    - audit
    - authenticator
    - controllerManager
    - scheduler

# IAM OIDC provider for IRSA
iam:
  withOIDC: true
  serviceAccounts:
  - metadata:
      name: app-service-account
      namespace: production
    attachPolicyARNs:
    - "arn:aws:iam::123456789012:policy/AppS3ReadPolicy"
    wellKnownPolicies:
      certManager: false
      externalDNS: false
      ebsCSIController: false
      efsCSIController: false

nodeGroups:
- name: app-nodes
  instanceType: m5.large
  desiredCapacity: 3
  minSize: 3
  maxSize: 10
  privateNetworking: true
  
  # Instance-level security
  amiFamily: AmazonLinux2
  iam:
    attachPolicyARNs:
    - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
    - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
    - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
    - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
    withAddonPolicies:
      imageBuilder: false
      cloudWatch: true
      albIngress: false
  
  # Security group configuration
  securityGroups:
    attachIDs:
    - sg-node-security-group
    
  # Enable encryption at rest
  volumeEncrypted: true
  volumeKmsKeyID: "arn:aws:kms:us-east-1:123456789012:key/node-volume-key"
  
  # Taints for workload isolation
  taints:
  - key: workload-type
    value: application
    effect: NoSchedule

---
# IRSA configuration for pod
apiVersion: v1
kind: ServiceAccount
metadata:
  name: app-service-account
  namespace: production
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/AppServiceRole
    eks.amazonaws.com/audience: sts.amazonaws.com
    eks.amazonaws.com/sts-regional-endpoints: "true"

---
# SecurityGroup policy for pod-level security groups
apiVersion: vpcresources.k8s.aws/v1beta1
kind: SecurityGroupPolicy
metadata:
  name: app-security-group-policy
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: web-app
  securityGroups:
    groupIds:
    - sg-app-specific-rules

EKS security groups for pods enable fine-grained network security at the pod level. Unlike traditional Kubernetes network policies that operate at Layer 3/4, security groups for pods integrate with AWS security groups, providing stateful firewall rules with AWS service integration. This feature enables microsegmentation using familiar AWS constructs while maintaining Kubernetes-native deployment patterns.