📝 AWS EKS Cluster has node IAM role with AmazonEKS_CNI_Policy attached 🔴🟢

• Contextual name: 📝 Cluster has node IAM role with AmazonEKS_CNI_Policy attached 🔴🟢
• ID: /ce/ca/aws/eks/cluster-node-role-cni-policy
• Located in: 📁 AWS EKS

Flags

• 🟢 Policy with categories
• 🔴 Policy with todo.md
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY
  • RELIABILITY

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 AWS EKS Cluster
  • 🔌 AWS IAM Role Policy Attachment - object.extracts.yaml
  • 🧪 test-data.json

TODO 🔴

Open File

TODO

Add an INCOMPLIANT check for the exact permissions included in AmazonEKS_CNI_Policy.

Description

Open File

Description

Ensure that the AmazonEKS_CNI_Policy IAM Policy is not attached to the EKS node's IAM role.

Instead, it is strongly recommended to configure a separate IAM role exclusively for the Amazon VPC CNI plugin. This avoids granting CNI pods broader permissions than necessary. When the policy is attached to the node IAM role, pods using the Amazon VPC CNI inherit those permissions, potentially exposing sensitive resources associated with the instance profile.

Rationale

The Amazon VPC CNI plugin automatically creates and manages a service account named aws-node. By default, this service account is bound to the node IAM role, which often includes the AmazonEKS_CNI_Policy. This setup grants the plugin’s pods full access to all permissions attached to the node IAM role.

To follow the principle of least privilege, it is recommended to create a dedicated IAM role specifically for the aws-node service account and attach only the AmazonEKS_CNI_Policy to it using IAM Roles for Service Accounts (IRSA).

... see more

Remediation

Open File

Remediation

Configure a dedicated IAM role for the Amazon VPC CNI plugin's aws-node service account using IAM Roles for Service Accounts (IRSA). This limits the CNI pods to only the permissions granted by the AmazonEKS_CNI_Policy, aligning with the principle of least privilege.

Prerequisites

• The EKS cluster must have an IAM OIDC identity provider associated with it.

From Command Line

Create a Dedicated IAM Role for aws-node Using eksctl

The command creates and deploys an AWS CloudFormation stack that creates an IAM role, attaches the necessary policy, and annotates the existing aws-node Kubernetes service account in the kube-system namespace with the role's ARN:

eksctl create iamserviceaccount \
    --name aws-node \
    --namespace kube-system \
    --cluster {{cluster-name}} \
    --role-name AmazonEKSVPCCNIRole \
    --attach-policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy \
    --override-existing-serviceaccounts \
    --approve

Note: This command is applicable for clusters using the IPv4 address family and takes the AmazonEKS_CNI_Policy AWS managed policy

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 Cloudaware Framework → 💼 Role-Based Access Control (RBAC) Management			11
💼 Cloudaware Framework → 💼 System Configuration			27