Essential Policies for Administering an AWS EKS Cluster

So, what policies does my role need to create an AWS EKS cluster and be the admin?

  1. AmazonEKSClusterPolicy: This policy grants permissions to create and manage EKS clusters. It includes actions like eks:CreateCluster, eks:DescribeCluster, eks:UpdateClusterConfig, eks:DeleteCluster, etc.

  2. AmazonEKSServicePolicy: This policy allows the necessary permissions for the EKS service to manage resources on your behalf. It includes actions like eks:DescribeUpdates, eks:ListClusters, eks:ListUpdates, etc.

  3. AmazonEKSServiceRolePolicy: This policy is attached to the IAM role assumed by the EKS service. It allows the service to perform necessary operations within your AWS account. This policy is typically managed by AWS and attached to the service role.

  4. AmazonEKSVPCResourceController: This policy is required if you plan to use the Amazon EKS VPC resource controller. It includes permissions such as eks:AssociateEncryptionConfig, eks:ListClusters, eks:DescribeCluster, etc.

  5. AmazonEKSClusterPolicyForIAMUser: If you are managing EKS as an IAM user rather than through the root account, you’ll need this policy attached to your IAM user. It includes permissions similar to AmazonEKSClusterPolicy, allowing management of EKS clusters.

  6. IAM Policies for EC2 Instances: If your EKS cluster nodes run on EC2 instances, you’ll need IAM policies to manage those instances. These policies include permissions for actions such as ec2:DescribeInstances, ec2:CreateTags, ec2:DescribeTags, etc.

  7. IAM Policies for EKS Worker Nodes: Additionally, if you’re using worker nodes in your EKS cluster, you’ll need IAM policies to allow them to interact with EKS. This might include permissions for actions like eks:DescribeCluster, eks:ListNodegroups, etc.

  8. Permissions for Logging and Monitoring: Depending on your requirements, you might need policies to enable logging and monitoring services such as CloudWatch Logs and CloudWatch Container Insights. These policies include permissions for actions like logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents, etc.

When creating these policies, make sure to follow the principle of least privilege, granting only the permissions necessary for the specific tasks each component needs to perform. You can attach these policies to IAM roles or IAM users, depending on your specific use case and organizational structure.