Amazon EKS Security

Secure Your Amazon EKS Clusters

Comprehensive EKS security with 83+ CIS Benchmark checks. Native AWS integration with IRSA, KMS, VPC, and CloudWatch. Secure managed and Fargate workloads.

Start EKS ScanView All Platforms
EKS Cluster Overview
EKS Clusters
12
Node Groups
34
Fargate Profiles
8
Checks
83+
Critical3
IRSA over-permissions
High7
Pod security issues

Built for Amazon EKS

Deep integration with EKS-specific features and AWS services

IRSA
IAM Role Auditing

Service account permissions

KMS
Secrets Encryption

Envelope encryption checks

VPC
Network Security

Security groups & CNI

Add-ons
Managed Add-ons

Version & config checks

Complete EKS Security Posture Management

From IAM integration to pod security, secure every aspect of your EKS clusters

EKS Security Dashboard
EKS Security Score91
83 checks passed
Control Plane
IRSA Policies2 issues
Node Groups
Fargate Profiles
Add-ons
AWS Native

Deep EKS Integration with AWS Security

Native integration with AWS services including IAM roles for service accounts (IRSA), AWS Secrets Manager, KMS encryption, VPC networking, and CloudWatch logging.

  • IAM Roles for Service Accounts
    Audit IRSA configurations, detect overly permissive IAM policies
  • KMS Encryption
    Verify secrets encryption with AWS KMS and envelope encryption
  • VPC Security
    Validate security groups, network policies, and private endpoint access
Pod Security Findings
Critical2
Privileged containers detected
High5
Host namespace access
Medium12
Missing security context
Default PSS Level:Restricted
Pod Security

EKS Pod Security Standards Enforcement

Enforce Kubernetes Pod Security Standards with EKS-native admission controllers. Detect privileged pods, host namespace usage, and capability escalation.

  • Pod Security Admission
    Configure PSA modes (enforce, audit, warn) per namespace
  • Fargate Pod Security
    Validate security contexts for serverless Fargate workloads
  • Container Hardening
    Check runAsNonRoot, readOnlyRootFilesystem, and capabilities
RBAC & IAM Analysis
K8s Roles
147
IAM Mappings
23
⚠ Wildcard IAM Role
arn:aws:iam::*:role/eks-admin mapped
⚠ System:masters Group
5 IAM roles with cluster-admin
RBAC & IAM

Unified RBAC and AWS IAM Analysis

Comprehensive analysis of Kubernetes RBAC combined with AWS IAM. Detect privilege escalation paths across both identity systems.

  • aws-auth ConfigMap
    Audit IAM to Kubernetes role mappings and detect misconfigurations
  • IRSA Analysis
    Find service accounts with overly permissive AWS IAM policies
  • Cross-Account Access
    Detect EKS clusters accessible from other AWS accounts

EKS Security Checks

Comprehensive security coverage for EKS clusters

Control Plane

15+

API server logging, authentication, encryption, endpoint access

Node Groups

12+

Managed and self-managed node security, AMI compliance

Pod Security

18+

PSS enforcement, security contexts, container hardening

IAM & RBAC

15+

IRSA, aws-auth, role mappings, privilege escalation

Networking

12+

VPC CNI, network policies, security groups, ingress

Add-ons & Logging

11+

CoreDNS, kube-proxy, VPC CNI, CloudWatch logging

Frequently Asked Questions

Everything you need to know about EKS security with TigerGate

TigerGate uses AWS IAM roles with read-only permissions to access your EKS clusters. You can use IRSA (IAM Roles for Service Accounts) to grant TigerGate access, or provide a kubeconfig with a ServiceAccount token. No cluster-admin access is required.
Yes! TigerGate fully supports EKS Fargate profiles. We validate Fargate-specific security controls including pod security contexts (since Fargate enforces baseline PSS), network policies with VPC CNI, and Fargate profile IAM roles.
TigerGate runs EKS-specific checks including: control plane logging to CloudWatch, secrets encryption with KMS, private endpoint access, IRSA configurations, aws-auth ConfigMap validation, managed node group security, EKS add-on versions, and VPC/security group configurations.
Yes! TigerGate supports multi-cluster and multi-account scanning. Use AWS Organizations with cross-account IAM roles to scan all EKS clusters across your AWS organization from a single TigerGate dashboard.
Yes! TigerGate can send EKS security findings to AWS Security Hub in ASFF format. This allows you to centralize Kubernetes findings alongside other AWS security findings and use Security Hub's automated response workflows.

Ready to Secure Your EKS Clusters?

Start with a free EKS security scan. See your misconfigurations and compliance gaps in minutes.

Start EKS ScanSchedule Demo