EKS Security Best Practices Quiz
Test your understanding of Amazon EKS security best practices with the following questions.
Questions
1. What authentication method does a Pod use when calling AWS APIs with IRSA (IAM Roles for Service Accounts)?
- A) IAM User Access Key
- B) EC2 Instance Profile
- C) OIDC token-based AssumeRoleWithWebIdentity
- D) Credentials stored in Kubernetes Secret
Show Answer
Answer: C) OIDC token-based AssumeRoleWithWebIdentity
Explanation: How IRSA works:
- EKS cluster's OIDC Provider issues ServiceAccount token
- Pod calls AWS STS
AssumeRoleWithWebIdentityAPI - OIDC token is validated and temporary credentials are issued
- Pod calls AWS APIs with temporary credentials
apiVersion: v1
kind: ServiceAccount
metadata:
name: s3-reader
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/S3ReaderRoleIRSA enables fine-grained permission management at Pod level rather than node level.
2. What is the main advantage of EKS Pod Identity compared to IRSA?
- A) Stronger encryption
- B) Faster performance
- C) No OIDC Provider setup required, simplified management
- D) Support for more AWS services
Show Answer
Answer: C) No OIDC Provider setup required, simplified management
Explanation: Benefits of EKS Pod Identity:
- No OIDC Provider setup required
- Simplified IAM Role Trust Policy
- Automatic credential management through Pod Identity Agent
- Simplified cross-account access
# Pod Identity association (simple CLI setup)
aws eks create-pod-identity-association \
--cluster-name my-cluster \
--namespace production \
--service-account myapp-sa \
--role-arn arn:aws:iam::123456789012:role/MyAppRoleIRSA requires OIDC Provider setup and complex Trust Policy for each cluster.
3. Which is NOT a requirement for using Security Groups for Pods?
- A) Nitro-based instance types
- B) Amazon VPC CNI plugin
- C) Fargate profile
- D) ENIConfig or SecurityGroupPolicy CRD
Show Answer
Answer: C) Fargate profile
Explanation: Security Groups for Pods requirements:
- Required: Nitro-based EC2 instances (m5, c5, r5, etc.)
- Required: Amazon VPC CNI plugin v1.7.7+
- Required: SecurityGroupPolicy CRD configuration
- Optional: Fargate (separate configuration method)
apiVersion: vpcresources.k8s.aws/v1beta1
kind: SecurityGroupPolicy
metadata:
name: db-access-policy
spec:
podSelector:
matchLabels:
app: backend
securityGroups:
groupIds:
- sg-0123456789abcdef0Fargate assigns ENI to each Pod automatically, requiring separate configuration.
4. What is the impact of setting the EKS cluster's Kubernetes API server endpoint to private only?
- A) Cannot use kubectl at all
- B) Accessible only from within VPC or connected networks
- C) Cannot manage cluster from AWS Console
- D) Worker nodes cannot connect to API server
Show Answer
Answer: B) Accessible only from within VPC or connected networks
Explanation: When private endpoint is configured:
- Accessible from within VPC
- Accessible from networks connected via VPN, Direct Connect, VPC Peering
- Not accessible from public internet
# Endpoint configuration
aws eks update-cluster-config \
--name my-cluster \
--resources-vpc-config \
endpointPublicAccess=false,endpointPrivateAccess=trueUsing private endpoint only is recommended for security.
5. Which threat type is NOT detected by AWS GuardDuty EKS Protection?
- A) Communication with malicious IPs
- B) Cryptocurrency mining activity
- C) Pod resource usage exceeding limits
- D) Tor network connections
Show Answer
Answer: C) Pod resource usage exceeding limits
Explanation: Threats detected by GuardDuty EKS Protection:
- Communication with malicious IP addresses
- Cryptocurrency mining (Kubernetes API abuse)
- Tor network connections
- DNS Rebinding attacks
- Privilege escalation attempts
- Abnormal API call patterns
Resource usage monitoring is performed by:
- Kubernetes Metrics Server
- Prometheus/Grafana
- CloudWatch Container Insights
6. Which AWS service does NOT require VPC endpoints in an EKS cluster?
- A) ECR (dkr, api)
- B) S3
- C) STS
- D) Route 53
Show Answer
Answer: D) Route 53
Explanation: Recommended VPC endpoints for EKS:
- ECR (dkr, api): Container image pulls
- S3: Image layer storage
- STS: IRSA/Pod Identity authentication
- CloudWatch Logs: Log transmission
- EC2, ELB, Auto Scaling: Node management
Route 53 is a global DNS service that uses standard DNS resolution, not VPC endpoints.
# Create required VPC endpoint
aws ec2 create-vpc-endpoint \
--vpc-id vpc-xxx \
--service-name com.amazonaws.region.ecr.dkr \
--vpc-endpoint-type Interface7. What benchmark is used when checking EKS cluster security with kube-bench?
- A) PCI-DSS
- B) CIS Kubernetes Benchmark
- C) NIST Cybersecurity Framework
- D) SOC 2
Show Answer
Answer: B) CIS Kubernetes Benchmark
Explanation: kube-bench checks cluster security against the CIS (Center for Internet Security) Kubernetes Benchmark:
# Run kube-bench on EKS node
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job-eks.yaml
# Check results
kubectl logs job/kube-benchInspection items:
- Control Plane configuration (some N/A as EKS managed)
- Worker Node configuration
- Policies and Pod security
- Network policies
- Logging and auditing
8. What security benefit does Service Account Token Volume Projection provide in EKS?
- A) Reduced token size
- B) Bound tokens and expiration time settings
- C) Token encryption
- D) Automatic token backup
Show Answer
Answer: B) Bound tokens and expiration time settings
Explanation: Security benefits of Service Account Token Volume Projection:
- Bound tokens: Valid only for specific Pod
- Expiration time: Automatic token expiration (default 1 hour)
- Audience specification: Valid only for specific audience
spec:
containers:
- name: app
volumeMounts:
- name: token
mountPath: /var/run/secrets/tokens
volumes:
- name: token
projected:
sources:
- serviceAccountToken:
path: token
expirationSeconds: 3600
audience: sts.amazonaws.comLegacy tokens never expired, posing risks if leaked.
9. What does Amazon Inspector scan in an EKS environment?
- A) Kubernetes manifests
- B) Container image vulnerabilities
- C) IAM policies
- D) Network traffic
Show Answer
Answer: B) Container image vulnerabilities
Explanation: Amazon Inspector's EKS integration:
- Scan container images stored in ECR
- Scan images of running workloads
- Detect OS package vulnerabilities
- Detect application package vulnerabilities (npm, pip, etc.)
# Enable Inspector
aws inspector2 enable \
--resource-types ECR
# Check scan results
aws inspector2 list-findings \
--filter-criteria resourceType=AWS_ECR_CONTAINER_IMAGEContinuous scanning provides alerts when new CVEs are discovered.
10. Which log type CANNOT be enabled when sending EKS cluster Control Plane logs to CloudWatch?
- A) api
- B) audit
- C) controllerManager
- D) kubelet
Show Answer
Answer: D) kubelet
Explanation: EKS Control Plane log types:
- api: API server logs
- audit: Audit logs (who did what)
- authenticator: IAM authentication logs
- controllerManager: Controller manager logs
- scheduler: Scheduler logs
kubelet logs are generated on worker nodes and are not Control Plane logs.
# Enable Control Plane logging
aws eks update-cluster-config \
--name my-cluster \
--logging '{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}'11. Why should Node IAM Role and Pod IAM Role (IRSA) be separated in EKS?
- A) Cost savings
- B) Applying least privilege principle
- C) Performance improvement
- D) Reduced network latency
Show Answer
Answer: B) Applying least privilege principle
Explanation: Importance of permission separation:
Node IAM Role (broad scope):
- Accessible by all Pods (Instance Metadata)
- Only basic permissions like ECR pull, CloudWatch logs
IRSA (narrow scope):
- Connected to specific ServiceAccount only
- Grant only permissions needed per application
# Wrong example: S3 full access on Node Role
# -> All Pods can access S3
# Correct example: Grant permissions only to specific Pod via IRSA
apiVersion: v1
kind: ServiceAccount
metadata:
name: s3-processor
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::xxx:role/S3ProcessorRole12. Which component is responsible for integrating Kubernetes RBAC with AWS IAM in EKS?
- A) kube-apiserver
- B) aws-auth ConfigMap
- C) aws-iam-authenticator
- D) kube-proxy
Show Answer
Answer: C) aws-iam-authenticator
Explanation: EKS authentication flow:
- kubectl obtains token from AWS STS
- aws-iam-authenticator validates IAM credentials
- aws-auth ConfigMap maps IAM -> Kubernetes user/group
- Kubernetes RBAC determines permissions
# aws-auth ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: arn:aws:iam::123456789012:role/DevTeamRole
username: dev-user
groups:
- dev-team
mapUsers: |
- userarn: arn:aws:iam::123456789012:user/admin
username: admin
groups:
- system:mastersScore Calculation
Calculate 1 point per question.
| Score | Rating |
|---|---|
| 11-12 | Excellent - EKS security expert level |
| 8-10 | Good - Basic concepts understood, review advanced features |
| 5-7 | Average - Additional study recommended |
| 0-4 | Basic learning needed |