-
Notifications
You must be signed in to change notification settings - Fork 41
IAM Requirements for EKS
Taken together, these IAM policies provide sufficient access to use EKS.
Some of these permissions are very broad. They are difficult to scope effectively, in part because many resources are created (and named) dynamically when deploying an EKS Cluster using CloudFormation. There may be some value in enforcing certain naming conventions, such as prefixing cluster names with ${aws:username}
, which would allow pattern-matching in Conditions
. However, this requires special consideration beyond the EKS deployment guide, and should be evaluated in the broader context of organizational IAM policies.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UnscopedOperations",
"Effect": "Allow",
"Action": [
"cloudformation:CreateUploadBucket",
"cloudformation:EstimateTemplateCost",
"cloudformation:ListExports",
"cloudformation:ListStacks",
"cloudformation:ListImports",
"cloudformation:DescribeAccountLimits",
"eks:ListClusters",
"cloudformation:ValidateTemplate",
"cloudformation:GetTemplateSummary",
"eks:CreateCluster"
],
"Resource": "*"
},
{
"Sid": "EffectivelyUnscopedOperations",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetRole",
"iam:DetachRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"cloudformation:*",
"iam:CreateRole",
"iam:DeleteRole",
"eks:*"
],
"Resource": [
"arn:aws:eks:*:*:cluster/*",
"arn:aws:cloudformation:*:*:stack/*/*",
"arn:aws:cloudformation:*:*:stackset/*:*",
"arn:aws:iam::*:instance-profile/*",
"arn:aws:iam::*:role/*"
]
}
]
}
These policies deal with particularly sensitive access controls, such as passing roles and attaching/detaching policies from roles.
This policy as written will allow unrestricted use of only customer-managed policies, and not Amazon-managed policies. This prevents things like attaching the IAMFullAccess
policy to a role. If you are using roles in a way that would be undermined by this, you should strongly consider integrating a Permissions Boundary before using this policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UseCustomPoliciesWithCustomRoles",
"Effect": "Allow",
"Action": [
"iam:DetachRolePolicy",
"iam:AttachRolePolicy"
],
"Resource": [
"arn:aws:iam::<YOUR_ACCOUNT_ID>:role/*",
"arn:aws:iam::<YOUR_ACCOUNT_ID>:policy/*"
],
"Condition": {
"ForAllValues:ArnNotLike": {
"iam:PolicyARN": "arn:aws:iam::aws:policy/*"
}
}
},
{
"Sid": "AllowPassingRoles",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::<YOUR_ACCOUNT_ID>:role/*"
},
{
"Sid": "AddCustomRolesToInstanceProfiles",
"Effect": "Allow",
"Action": "iam:AddRoleToInstanceProfile",
"Resource": "arn:aws:iam::<YOUR_ACCOUNT_ID>:instance-profile/*"
},
{
"Sid": "AssumeServiceRoleForEKS",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<YOUR_ACCOUNT_ID>:role/<EKS_SERVICE_ROLE_NAME>"
},
{
"Sid": "DenyUsingAmazonManagedPoliciesUnlessNeededForEKS",
"Effect": "Deny",
"Action": "iam:*",
"Resource": "arn:aws:iam::aws:policy/*",
"Condition": {
"ArnNotEquals": {
"iam:PolicyARN": [
"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
]
}
}
},
{
"Sid": "AllowAttachingSpecificAmazonManagedPoliciesForEKS",
"Effect": "Allow",
"Action": [
"iam:DetachRolePolicy",
"iam:AttachRolePolicy"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"iam:PolicyARN": [
"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
]
}
}
}
]
}