We are moving toward a Zero-Trust architecture and need to tighten up our EKS security. We currently use standard IAM roles for service accounts (IRSA), but we want to move toward the new AWS Security Agent for proactive threat detection. How do people handle cross-account networking while ensuring that no traffic is trusted by default, even within the same VPC?
3 answers
Zero-Trust in EKS is now much easier thanks to AWS VPC Lattice. It allows you to define service-to-service communication policies without worrying about complex networking or IP addresses. You should start by enabling the new AWS Security Agent, which integrates with GuardDuty to provide real-time runtime monitoring. For the identity layer, continue using EKS Pod Identities as it's more scalable than IRSA for multi-account setups. The key is to externalize your authorization logic—use something like Verified Permissions to manage who can call which API, ensuring every single request is authenticated and authorized.
Are you planning to use a Service Mesh like Istio for the mTLS encryption, or are you relying on the AWS native tools to handle the encryption in transit between your microservices?
The new AWS Security Agent is great because it does design-time reviews. It can actually flag a security hole in your Helm charts before you even deploy them to the cluster.
I love that feature! It's basically a "security-as-code" mentor that sits right in your CI/CD pipeline and keeps the devs from making rookie IAM mistakes.
We actually want to move away from Istio because of the operational overhead. We’re hoping that VPC Lattice and the native AWS security integrations can handle the mTLS and policy enforcement for us. We need a "lighter" way to enforce security that doesn't require us to manage a complex control plane across ten different production clusters.