k9 Security now summarizes principals’ access to the Elastic Kubernetes Service (EKS) APIs. k9 reports whether IAM principals may administer or read EKS cluster and nodegroup configurations managed by AWS. Amazon Elastic Kubernetes Service is a fully managed container orchestration service that allows you to run containers on your own EC2 instances or Fargate.

If you’re wondering which IAM principals can administer or run containers with EKS, k9 can give you a short list to review. k9 analyzes AWS accounts to see which IAM users and roles can use EKS APIs and maps each principal’s access to a k9 access capability.

Here’s an example of how EKS access is summarized in the Principal Access Summary worksheet of k9-dev’s report (sample: xlsx):

k9 Principal Access Summary for EKS

This excerpt shows the ci IAM user has full access to EKS APIs and is allowed to administer-resource and read-config. The k9-auditor role has only the read-config capability for EKS APIs, allowing it to read EKS configuration metadata.

The most interesting EKS API actions are classified as administer-resource, which manage cluster and node resources:

Mapping of EKS API actions to k9 administer-resource capability

The sample report documents the full mapping of service API actions to k9 access capabilities in the ‘k9 Access Capability Mapping’ worksheet.

The Amazon EKS API currently has 28 actions, which k9 will now track for updates. This summary of k9’s AWS service coverage shows how EKS compares to other AWS data, compute, and security APIs:

k9 AWS Service Analysis Summary

AWS EKS gives you a way to run applications on Kubernetes on AWS without needing to stand up or maintain your own Kubernetes control plane. Manage risk to your applications running on EKS by continuously reviewing and adjusting access to EKS clusters and the EKS compute APIs.

We hope k9’s new EKS analysis capabilities help you identify which IAM users and roles can administer EKS clusters in your AWS accounts. We are happy to answer any questions!