Amazon EKS Connector considerations - Amazon EKS
Amazon responsibilitiesCustomer responsibilities
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon EKS Connector considerations

Important

This capability is not available in China Amazon Web Services Regions.

The Amazon EKS Connector is an open source component that runs on your Kubernetes cluster. This cluster can be located outside of the Amazon environment. This creates additional considerations for security responsibilities. This configuration can be illustrated by the following diagram. Orange represents Amazon responsibilities, and blue represents customer responsibilities:

EKS Connector Responsibilities

This topic describes the differences in the responsibility model if the connected cluster is outside of Amazon.

Amazon responsibilities

  • Maintaining, building, and delivering Amazon EKS Connector, which is an open source component that runs on a customer's Kubernetes cluster and communicates with Amazon.

  • Maintaining transport and application layer communication security between the connected Kubernetes cluster and Amazon services.

Customer responsibilities

  • Kubernetes cluster specific security, specifically along the following lines:

    • Kubernetes secrets must be properly encrypted and protected.

    • Lock down access to the eks-connector namespace.

  • Configuring role-based access control (RBAC) permissions to manage IAM principal access from Amazon. For instructions, see Granting access to an IAM principal to view Kubernetes resources on a cluster.

  • Installing and upgrading Amazon EKS Connector.

  • Maintaining the hardware, software, and infrastructure that supports the connected Kubernetes cluster.

  • Securing their Amazon accounts (for example, through safeguarding your root user credentials).