Profile Applicability:
• Level 1
Description:
Amazon EKS has introduced the Cluster Access Manager API to enhance the management of Role-Based Access Control (RBAC) and Service Accounts within EKS clusters. The Cluster Access Manager API is now the recommended method for managing cluster access, replacing the traditional aws-auth ConfigMap method.
Rationale:
Using the Cluster Access Manager API simplifies access management, enhances security controls, and provides better visibility into cluster access configurations. This method reduces operational overhead by eliminating the need for manual edits to the aws-auth ConfigMap, minimizes the risk of misconfigurations, and supports more fine-grained access control.
Impact:
The adoption of the Cluster Access Manager API improves security and operational efficiency by directly managing RBAC and IAM permissions, eliminating risks related to manual edits, and offering a more scalable solution. It simplifies compliance and auditing processes and aligns with AWS best practices.
Default Value:
By default, the Cluster Access Manager API is selected during cluster creation but can be changed during initial configuration. If the cluster is using the traditional aws-auth ConfigMap, it must be switched to the Cluster Access Manager API for improved management.
Pre-requisites:
Access to the AWS Management Console or AWS CLI with permissions to view and modify Amazon EKS clusters.
The EKS cluster must be compatible with Kubernetes 1.23 or later to support the Cluster Access Manager API.
Remediation
Test Plan:
Using AWS Console:
To check if the Cluster Access Manager API is active on your EKS cluster
Review the output to confirm the authentication mode:
If "authenticationmode": "API" or "authenticationmode": "API_AND_CONFIG_MAP", the Cluster Access Manager API is enabled.
If "authenticationmode": "CONFIG_MAP", the cluster is still using the traditional aws-auth ConfigMap method.
Using AWS CLI:
To check the current access mode of the cluster:
aws eks describe-cluster --name $CLUSTER_NAME --query "cluster.accessConfig" --output json
Ensure the authentication mode is set to "API" or "API_AND_CONFIG_MAP". If it’s "CONFIG_MAP", consider migrating to the Cluster Access Manager API for better access control management.
Implementation Plan
Using AWS Console:
Log in to the AWS Management Console and navigate to Amazon EKS.
Select the desired EKS cluster and go to the Access tab.
Under the Cluster Authentication Mode, select EKS API to manage cluster access via the Cluster Access Manager API.
Click Save Changes to apply the configuration.
Using AWS CLI:
To update the cluster’s access configuration to use the Cluster Access Manager API, run:
aws eks update-cluster-config --name $CLUSTER_NAME --access-config "api"
Confirm that the configuration has been updated successfully by running:
aws eks describe-cluster --name $CLUSTER_NAME --query "cluster.accessConfig" --output json
Ensure the output shows "authenticationmode": "API".
Backout Plan
Using AWS Console:
If issues arise after enabling the Cluster Access Manager API, revert the cluster's authentication mode to ConfigMap during the initial configuration stage.
Ensure that critical roles and access configurations are restored.
Using AWS CLI:
To revert to the traditional aws-auth ConfigMap method, run the following command:
aws eks update-cluster-config --name $CLUSTER_NAME --access-config "configMap"
Confirm that the configuration has reverted successfully by checking the authentication mode again:
aws eks describe-cluster --name $CLUSTER_NAME --query "cluster.accessConfig" --output json
Restore any necessary roles or permissions for system access.