cbui.dev

================================================================================

EKS Cluster Creators Have Admin Access

aws

I learned recently that EKS Clusters will always grant admin privileges to the IAM entity that created the cluster:

When you create an Amazon EKS cluster, the AWS Identity and Access Management (IAM) entity user or role, such as a federated user that creates the cluster, is automatically granted system:masters permissions in the cluster’s role-based access control (RBAC) configuration in the Amazon EKS control plane. This IAM entity doesn’t appear in any visible configuration, so make sure to keep track of which IAM entity originally created the cluster.

https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html

This has important security implications.

If you misconfigure your aws-auth and get locked out of the cluster, you need to know what entity created the cluster in order to recover it. You can get this information in cloud trail if you created the cluster within the past 3 months, otherwise you’ll need to file a ticket with AWS. Ideally you create your EKS clusters with a service account so that no individual has permanent admin access.