Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

EKS Cluster Node Group IAM Role Policies

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that the permissions defined for the worker node IAM role are not too permissive. In order to implement the Principle of Least Privilege (also known as the principle of least authority, i.e. the security concept of providing every identity, process, or system the minimal set of permissions required to perform successfully its tasks), the IAM role associated with your Amazon EKS cluster worker nodes should use the following managed policies only: "AmazonEKSWorkerNodePolicy" and "AmazonEC2ContainerRegistryReadOnly".

Security
Operational
excellence

The IAM role assigned to a worker node empowers the kubelet, which operates on the node, to interact with various APIs on your behalf. This role is used to securely manage access to the cluster resources, provide fine-grained permissions for worker nodes, and simplify administration by centralizing access management and eliminating the need for individual credentials on each node. Providing the right permissions to the worker node IAM role will significantly reduce the risk of unauthorized access to your Amazon EKS cluster resources.

Audit

To determine if your Amazon EKS cluster node groups are using appropriate permissions for worker nodes, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Elastic Kubernetes Service console at https://console.aws.amazon.com/eks/.

03 In the main navigation panel, under Amazon Elastic Kubernetes Service, choose Clusters.

04 Click on the name (link) of the Amazon EKS cluster that you want to examine.

05 Select the Compute tab to access the compute resources provisioned for the selected cluster.

06 Click on the name (link) of the node group that you want to examine.

07 Select the Details tab and click on the ARN (link) of the associated IAM role, listed under Node IAM role ARN to access the IAM role configuration.

08 Select the Permissions tab to access the identity-based policies attached to the selected role.

09 In the Permissions policies section, check the name of each managed policy, listed in the Policy name column to determine the permissions defined for the selected role. For compliance, the associated IAM role should use only two managed policies: "AmazonEKSWorkerNodePolicy" and "AmazonEC2ContainerRegistryReadOnly". If the role has managed policies other than "AmazonEKSWorkerNodePolicy" and "AmazonEC2ContainerRegistryReadOnly" or the role uses inline policies, the permissions configured for the selected IAM role are too permissive, therefore the EKS cluster node group configuration is not compliant.

10 Repeat steps no. 6 and 9 for each node group provisioned for the selected EKS cluster.

11 Repeat steps no. 4 - 10 for each Amazon EKS cluster available within the current AWS region.

12 Change the AWS cloud region from the top navigation bar and repeat the Audit process for other AWS regions.

Using AWS CLI

01 Run list-clusters command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon EKS cluster available in the selected AWS region: 

aws eks list-clusters
  --region us-east-1
  --output table
  --query 'clusters'

02 The command output should return a table with the requested EKS cluster names: 

---------------------------
|      ListClusters       |
+-------------------------+
| cc-eks-webapp-cluster   |
| cc-eks-project5-cluster |
+-------------------------+

03 Run list-nodegroups command (OSX/Linux/UNIX) with custom query filters to describe the name of each node group provisioned for the selected Amazon EKS cluster: 

aws eks list-nodegroups 
  --region us-east-1 
  --cluster-name cc-eks-webapp-cluster 
  --query 'nodegroups'

04 The command output should return the requested EKS cluster node group names: 

[
	"cc-webapp-cluster-node-001",
	"cc-webapp-cluster-node-002"
]

05 Run describe-nodegroup command (OSX/Linux/UNIX) with custom output filtering to describe the ARN of the IAM role associated with the selected EKS cluster node group: 

aws eks describe-nodegroup 
  --region us-east-1 
  --cluster-name cc-eks-webapp-cluster 
  --nodegroup-name cc-webapp-cluster-node-001 
  --query 'nodegroup.nodeRole'

06 The command output should return the Amazon Resource Name (ARN) of the associated IAM role: 

"arn:aws:iam::123456789012:role/cc-eks-node-role"

07 Run list-attached-role-policies command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Name (ARN) of each managed policy attached to the associated IAM role: 

aws iam list-attached-role-policies
  --role-name cc-eks-node-role
  --query 'AttachedPolicies[*].PolicyArn'

08 The command output should return the ARN of each managed policy attached to the selected role: 

[
	"arn:aws:iam::aws:policy/AdministratorAccess",
	"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
	"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
]

If the list-attached-role-policies command output returns one or more managed policies, other than "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" and "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", as shown in the example above, the permissions configured for the selected IAM role are too permissive, therefore the EKS cluster node group configuration is not compliant.

09 Run list-role-policies command (OSX/Linux/UNIX) with custom filtering to describe the name of each inline policy attached to the associated IAM role: 

aws iam list-role-policies
  --role-name cc-eks-node-role
  --query 'PolicyNames'

10 The command output should return the name of each inline policy associated with the selected role: 

[
	"cc-eks-inline-policy"
]

If the list-role-policies command output returns one or more inline policies, as shown in the example above, the permissions configured for the selected IAM role are not too permissive, therefore the node group configuration is not compliant.

11 Repeat steps no. 5 - 10 for each node group provisioned for the selected EKS cluster.

12 Repeat steps no. 3 - 11 for each Amazon EKS cluster available in the selected AWS region.

13 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other AWS regions.

Remediation / Resolution

To ensure that your Amazon EKS cluster node groups are using appropriate permissions for worker nodes, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Elastic Kubernetes Service console at https://console.aws.amazon.com/eks/.

03 In the main navigation panel, under Amazon Elastic Kubernetes Service, choose Clusters.

04 Click on the name (link) of the Amazon EKS cluster that you want to access.

05 Select the Compute tab to access the compute resources provisioned for the selected cluster.

06 Click on the name (link) of the node group that you want to configure.

07 Select the Details tab and click on the ARN (link) of the associated IAM role, listed under Node IAM role ARN to access the IAM role configuration.

08 Select the Permissions tab to access the identity-based policies attached to the selected role.

09 In the Permissions policies section, perform the following actions based on the policy type:

  1. For managed IAM policies:
    • Select the managed policy that you want to detach from the associated IAM role and choose Remove.
    • Inside the Remove [policy-name] confirmation box, choose Delete to confirm the removal.
  2. For inline IAM policies:
    • Select the inline policy that you want to remove from the associated IAM role and choose Remove.
    • Inside the Remove [policy-name] confirmation box, enter the inline policy name in the text input field, and choose Delete to confirm the removal.

10 Repeat steps no. 6 - 9 for each EKS cluster node group that you want to configure.

11 Repeat steps no. 4 – 10 for each Amazon EKS cluster provisioned within the current AWS region.

12 Change the AWS cloud region from the top navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Run detach-role-policy command (OSX/Linux/UNIX) to remove the non-compliant managed policies, other than "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" and "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", from the IAM role associated with your EKS cluster node group (the command does not produce an output): 

aws iam detach-role-policy
  --role-name cc-eks-node-role
  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

02 Run delete-role-policy command (OSX/Linux/UNIX) to remove the non-compliant inline policies from the IAM role associated with your EKS cluster node group (the command does not return an output): 

aws iam delete-role-policy 
  --role-name cc-eks-node-role 
  --policy-name cc-eks-inline-policy

03 Repeat steps no. 1 and 2 for each EKS cluster node group that you want to configure.

04 Repeat steps no. 1 – 3 for each Amazon EKS cluster provisioned in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date Jul 12, 2023

Related EKS rules