TCP #45: EKS Security Checklist: Is Your Cluster Vulnerable?
Essential security practices to implement today that will protect your Kubernetes workloads tomorrow
You can also read my newsletters from the Substack mobile app and be notified when a new issue is available.
The Cloud Playbook is now offering sponsorship slots in each issue. If you want to feature your product or service in my newsletter, explore my sponsor page
Your Kubernetes cluster is a ticking time bomb.
Attackers inch closer to your workloads with every unpatched vulnerability and misconfigured permission.
Most EKS deployments have gaping security holes that even junior hackers can exploit in minutes.
While you're focused on shipping features, sophisticated threat actors are probing your cluster's defenses, looking for the path of least resistance.
The recent surge in container-based attacks is a stark warning.
In today’s newsletter, I explain the exact EKS security measures you need without the fluff or enterprise-grade complexity.
Because when your production environment gets compromised, nobody will care about your brilliant architecture or deployment speed. They'll only ask why you missed the security basics we're about to share.
The Foundation: IAM and Authentication
First things first: lock down who can access your cluster.
AWS IAM forms your first line of defense.
Start by creating specific IAM roles for your EKS cluster and worker nodes.
Never use the root account or personal IAM users.
Here's the minimum IAM setup you need:
aws iam create-role --role-name EKSClusterRole \
--assume-role-policy-document file://cluster-trust-policy.json
aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy \
--role-name EKSClusterRole
Network Security: VPC and Security Groups
Your cluster needs a private VPC with properly configured security groups.
Think of it as building a moat around your castle.
Create separate public and private subnets, and lock down all unnecessary ports.
Deploy this baseline security group configuration:
apiVersion: v1
kind: SecurityGroup
metadata:
name: eks-cluster-sg
spec:
ingress:
- fromPort: 443
toPort: 443
protocol: tcp
cidrBlocks: [YOUR-VPC-CIDR]
egress:
- fromPort: 0
toPort: 0
protocol: -1
cidrBlocks: ["0.0.0.0/0"]
Pod Security Policies
Pod Security Policies prevent pods from running with dangerous privileges.
They're your bouncers, checking IDs at the door.
Enable them immediately in your cluster:
kubectl apply -f - <<EOF
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
spec:
privileged: false
seLinux:
rule: RunAsAny
runAsUser:
rule: MustRunAsNonRoot
fsGroup:
rule: RunAsAny
volumes:
- 'configMap'
- 'emptyDir'
- 'secret'
EOF
Container Image Security
Treat every container image like a suspicious package.
Implement these image security measures:
Use ECR with scanning enabled
Sign all images with Docker Content Trust
Allow only images from trusted registries
Here's how to enforce trusted registries:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
name: allowed-repos
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
repos:
- "123456789012.dkr.ecr.us-west-2.amazonaws.com"
Secret Management
Kubernetes secrets are like the keys to your kingdom.
By default, they're barely encrypted.
Fix this by implementing AWS Secrets Manager:
helm repo add secrets-store-csi-driver \
https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
helm install csi-secrets-store \
secrets-store-csi-driver/secrets-store-csi-driver \
--namespace kube-system
Network Policies
Network Policies are your internal security checkpoints.
Start with a deny-all policy, then explicitly allow required communication:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
Monitoring and Logging
You can't defend against what you can't see. Set up comprehensive monitoring using CloudWatch Container Insights:
curl -s https://raw.githubusercontent.com/aws-samples/amazon-cloudwatch-container-insights/latest/k8s-deployment-manifest.json \
| sed 's/{{cluster_name}}/your-cluster-name/;s/{{region_name}}/your-region/' \
| kubectl apply -f -
Regular Security Audits
Implement automated security scanning using kube-bench and Trivy.
Run these checks weekly:
# Install kube-bench
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml
# Install Trivy operator
helm repo add aqua https://aquasecurity.github.io/helm-charts/
helm install trivy-operator aqua/trivy-operator \
--namespace trivy-system \
--create-namespace
Incident Response
Create an incident response playbook.
When (not if) something goes wrong, you'll need these commands ready:
# Isolate compromised namespace
kubectl label namespace compromised quarantine=true
# Block all egress traffic
kubectl apply -f emergency-netpol.yaml
# Collect forensic data
kubectl describe pods -n compromised > incident-report.txt
Stay Ahead of the Threats
Security isn't a one-time setup. Schedule these recurring tasks:
Weekly vulnerability scans
Monthly access reviews
Quarterly penetration tests
Continuous compliance monitoring
Final Thoughts
Start with this security checklist:
Lockdown IAM permissions
Enable pod security policies
Implement network policies
Configure secret management
Set up monitoring
Schedule regular audits
Remember, EKS security isn't about implementing every possible protection.
It's about implementing the right protections for your workload. Start with these basics, then build your defenses based on your needs.
That’s it for today!
Did you enjoy this newsletter issue?
Share with your friends, colleagues, and your favorite social media platform.
Until next week — Amrut
Whenever you’re ready, there are 4 ways I can help you:
NEW! Get certified as an AWS AI Practitioner in 2025. Sign up today to elevate your cloud skills. (link)
Are you thinking about getting certified as a Google Cloud Digital Leader?
Here’s a link to my Udemy course, which has helped 628+ students prepare and pass the exam. Currently, rated 4.37/5. (link)
Free guides and helpful resources: https://thecloudplaybook.gumroad.com/
Sponsor The Cloud Playbook Newsletter:
https://www.thecloudplaybook.com/p/sponsor-the-cloud-playbook-newsletter
Get in touch
You can find me on LinkedIn or X.
If you wish to request a topic you would like to read, you can contact me directly via LinkedIn or X.