Cyber Security

What is the best way to implement Zero-Trust for Amazon EKS clusters in a multi-account setup?

LI Asked by Linda White · 14-02-2025
0 upvotes 11,112 views 0 comments
The question

We are moving toward a Zero-Trust architecture and need to tighten up our EKS security. We currently use standard IAM roles for service accounts (IRSA), but we want to move toward the new AWS Security Agent for proactive threat detection. How do people handle cross-account networking while ensuring that no traffic is trusted by default, even within the same VPC?

3 answers

0
SU
Answered on 18-02-2025

Zero-Trust in EKS is now much easier thanks to AWS VPC Lattice. It allows you to define service-to-service communication policies without worrying about complex networking or IP addresses. You should start by enabling the new AWS Security Agent, which integrates with GuardDuty to provide real-time runtime monitoring. For the identity layer, continue using EKS Pod Identities as it's more scalable than IRSA for multi-account setups. The key is to externalize your authorization logic—use something like Verified Permissions to manage who can call which API, ensuring every single request is authenticated and authorized.

0
CH
Answered on 21-02-2025

Are you planning to use a Service Mesh like Istio for the mTLS encryption, or are you relying on the AWS native tools to handle the encryption in transit between your microservices?

ST 24-02-2025

We actually want to move away from Istio because of the operational overhead. We’re hoping that VPC Lattice and the native AWS security integrations can handle the mTLS and policy enforcement for us. We need a "lighter" way to enforce security that doesn't require us to manage a complex control plane across ten different production clusters.

0
MA
Answered on 27-02-2025

The new AWS Security Agent is great because it does design-time reviews. It can actually flag a security hole in your Helm charts before you even deploy them to the cluster.

SU 01-03-2025

I love that feature! It's basically a "security-as-code" mentor that sits right in your CI/CD pipeline and keeps the devs from making rookie IAM mistakes.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session