EKS Cluster Creators Have Admin Access


I learned recently that EKS Clusters will always grant admin privileges to the IAM entity that created the cluster:

When you create an Amazon EKS cluster, the AWS Identity and Access Management (IAM) entity user or role, such as a federated user that creates the cluster, is automatically granted system:masters permissions in the cluster’s role-based access control (RBAC) configuration in the Amazon EKS control plane. This IAM entity doesn’t appear in any visible configuration, so make sure to keep track of which IAM entity originally created the cluster.


This has important security implications.

If you misconfigure your aws-auth and get locked out of the cluster, you need to know what entity created the cluster in order to recover it. You can get this information in cloud trail if you created the cluster within the past 3 months, otherwise you’ll need to file a ticket with AWS. Ideally you create your EKS clusters with a service account so that no individual has permanent admin access.

Join the 80/20 DevOps Newsletter

If you're an engineering leader or developer, you should subscribe to my 80/20 DevOps Newsletter. Give me 1 minute of your day, and I'll teach you essential DevOps skills. I cover topics like Kubernetes, AWS, Infrastructure as Code, and more.

Not sure yet? Check out the archive.

Unsubscribe at any time.