S
STAQITechnologies
S
STAQITechnologies
Infrastructure12 min read

EKS Cluster Setup: Security Best Practices for Enterprise Production

A comprehensive guide to setting up Amazon EKS clusters with enterprise-grade security configurations, covering network policies, RBAC, and compliance requirements.

S

STAQI Technologies

January 15, 2024

EKSKubernetesSecurityAWSDevOps

EKS Cluster Setup: Security Best Practices for Enterprise Production

Amazon Elastic Kubernetes Service (EKS) has become the de facto standard for enterprise container orchestration in AWS. However, setting up an EKS cluster that meets enterprise security standards requires careful planning and implementation of multiple security layers.

Introduction

Enterprise production environments demand robust security configurations that go beyond default EKS settings. This guide covers essential security practices for EKS cluster setup, including network isolation, identity and access management, and compliance considerations.

Core Security Architecture

Network Security Foundation

The foundation of EKS security starts with proper network architecture:

# vpc-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: vpc-security-config
data:
  private_subnets: "true"
  nat_gateway: "true"
  vpc_flow_logs: "enabled"
  endpoint_access: "private"

Key Network Security Principles:

  • Private Subnets Only: Deploy worker nodes in private subnets
  • Endpoint Security: Configure private API server endpoints
  • Network Segmentation: Implement proper subnet isolation
  • Flow Logging: Enable VPC flow logs for audit trails

Identity and Access Management (IAM)

Proper IAM configuration is critical for EKS security:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalTag/Department": "Engineering"
        }
      }
    }
  ]
}

Implementation Strategy

1. Cluster Control Plane Security

Configure the EKS control plane with enterprise security settings:

resource "aws_eks_cluster" "enterprise_cluster" {
  name     = "production-cluster"
  role_arn = aws_iam_role.cluster_service_role.arn
  version  = "1.28"

  vpc_config {
    subnet_ids              = var.private_subnet_ids
    endpoint_private_access = true
    endpoint_public_access  = false
    security_group_ids      = [aws_security_group.cluster_sg.id]
  }

  encryption_config {
    provider {
      key_arn = aws_kms_key.eks_encryption.arn
    }
    resources = ["secrets"]
  }

  enabled_cluster_log_types = [
    "api",
    "audit",
    "authenticator",
    "controllerManager",
    "scheduler"
  ]
}

2. Node Group Security Configuration

Secure worker node configuration with proper instance types and security groups:

resource "aws_eks_node_group" "secure_nodes" {
  cluster_name    = aws_eks_cluster.enterprise_cluster.name
  node_group_name = "secure-worker-nodes"
  node_role_arn   = aws_iam_role.node_group_role.arn
  subnet_ids      = var.private_subnet_ids

  instance_types = ["m5.large", "m5.xlarge"]
  
  launch_template {
    id      = aws_launch_template.secure_template.id
    version = aws_launch_template.secure_template.latest_version
  }

  remote_access {
    ec2_ssh_key = var.ssh_key_name
    source_security_group_ids = [aws_security_group.bastion_sg.id]
  }

  scaling_config {
    desired_size = 3
    max_size     = 10
    min_size     = 3
  }
}

3. RBAC Implementation

Role-Based Access Control (RBAC) configuration for fine-grained permissions:

# rbac-config.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: developer-role
rules:
- apiGroups: [""]
  resources: ["pods", "services", "configmaps"]
  verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: ["apps"]
  resources: ["deployments", "replicasets"]
  verbs: ["get", "list", "watch", "create", "update", "patch"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: developer-binding
subjects:
- kind: User
  name: developer@company.com
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: developer-role
  apiGroup: rbac.authorization.k8s.io

Security Policies and Network Controls

Pod Security Standards

Implement Pod Security Standards for workload security:

# pod-security-policy.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          name: kube-system
    ports:
    - protocol: UDP
      port: 53

Security Group Rules

Strict security group configuration for defense in depth:

resource "aws_security_group" "cluster_sg" {
  name_prefix = "eks-cluster-sg"
  vpc_id      = var.vpc_id

  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = [var.vpc_cidr]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "EKS-Cluster-SecurityGroup"
  }
}

Monitoring and Compliance

CloudWatch Integration

Configure comprehensive logging and monitoring:

# cloudwatch-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: cloudwatch-log-config
  namespace: amazon-cloudwatch
data:
  cwagentconfig.json: |
    {
      "logs": {
        "metrics_collected": {
          "kubernetes": {
            "cluster_name": "production-cluster",
            "metrics_collection_interval": 60
          }
        },
        "log_stream_name": "eks-cluster-logs"
      }
    }

Audit Logging

Enable comprehensive audit logging for compliance:

# audit-policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
  namespaces: ["production", "staging"]
  resources:
  - group: ""
    resources: ["secrets", "configmaps"]
- level: RequestResponse
  namespaces: ["production"]
  resources:
  - group: ""
    resources: ["pods", "services"]
  - group: "apps"
    resources: ["deployments"]

Best Practices Summary

Security Checklist

  • Network Isolation: Private subnets and endpoints
  • Encryption: EKS secrets encryption with KMS
  • RBAC: Fine-grained access controls
  • Pod Security: Restricted security standards
  • Network Policies: Default deny with explicit allows
  • Audit Logging: Comprehensive audit trails
  • Monitoring: CloudWatch integration
  • Image Security: Container image scanning

Operational Security

  1. Regular Updates: Keep EKS version current
  2. Security Scanning: Implement vulnerability scanning
  3. Backup Strategy: Regular etcd backups
  4. Incident Response: Defined security incident procedures

Conclusion

Implementing enterprise-grade security for EKS clusters requires a layered approach combining network security, identity management, and operational controls. The configurations outlined in this guide provide a solid foundation for production deployments that meet compliance requirements while maintaining operational efficiency.

Remember that security is an ongoing process. Regular security assessments, penetration testing, and staying current with AWS security best practices are essential for maintaining a secure EKS environment.

For more enterprise Kubernetes and cloud security content, follow STAQI Technologies' technical blog.

Ready to implement similar solutions?

Contact STAQI Technologies to learn how our expertise in high-volume systems, security operations, and compliance can benefit your organization.

Get Started