Amazon EKS enhances cluster governance with new IAM condition keys
Amazon EKS has added seven new IAM condition keys, enhancing governance controls for cluster management. These keys support proactive policy enforcement and are available at no additional cost in all AWS Regions where EKS is offered.
Amazon Elastic Kubernetes Service (EKS) has introduced support for seven new IAM condition keys applicable to cluster creation and configuration APIs. This development significantly enhances the governance capabilities available through IAM policies and Service Control Policies (SCPs). Organizations that manage environments across multiple accounts require centralized systems to enforce security and compliance measures uniformly across all clusters. This is essential to avoid dependency on manual interventions or checks after deployment.
The addition of these new EKS IAM condition keys facilitates proactive policy enforcement, offering organizations the ability to exercise more detailed control over cluster configurations. With these keys, organizations can enforce policies such as private-only API endpoints through eks:endpointPublicAccess and eks:endpointPrivateAccess, mandate the use of customer-managed AWS KMS keys for secrets encryption via eks:encryptionConfigProviderKeyArns, and restrict clusters to approved Kubernetes versions using eks:kubernetesVersion.
Furthermore, the new conditions allow for mandating deletion protection for production workloads with eks:deletionProtection, specifying control plane scaling tiers through eks:controlPlaneScalingTier, and enabling zonal shift capabilities to ensure high availability using eks:zonalShiftEnabled. These condition keys are applicable to several APIs, including CreateCluster, UpdateClusterConfig, UpdateClusterVersion, and AssociateEncryptionConfig, and integrate seamlessly with AWS Organizations SCPs for centralized governance across various accounts.
The newly introduced IAM condition keys are available at no extra cost in all AWS Regions where Amazon EKS is offered. For further details about Amazon EKS IAM condition keys, users are directed to consult the Amazon EKS User Guide and the Service Authorization Reference for Amazon EKS. Additional information on implementing Service Control Policies can be found in the AWS Organizations documentation.