Security on EKS

Overview

EKS provides multiple layers of security for clusters and workloads. AWS and customers share responsibility for security.

Topics

Cluster Access & Authentication

• Access Overview - Access patterns overview
• Endpoint Access - Public/private endpoints, bastion hosts
• Legacy aws-auth - ConfigMap-based access (legacy)
• Auth Patterns - IRSA vs Pod Identity comparison

Pod Authentication

• IRSA Deep-Dive - OIDC trust, token details, multi-cluster patterns
• Pod Identity Deep-Dive - EKS-managed credentials, agent architecture

Secrets Management

• Secrets Management
  • AWS Secrets Manager
  • Sealed Secrets

Additional Security

• Pod Security Standards
• GuardDuty for EKS
• Policy Management (Kyverno)

Shared Responsibility

AWS Responsible	Customer Responsible
Control plane	Node OS hardening
Kubernetes software	Container security
Managed node updates	Network policies
Security patches	IAM configuration
etcd encryption	Secrets encryption

References

• EKS Security
• EKS Best Practices - Security
• EKS Workshop - Security