Skip to content

Adding EKS pod Identities tag control #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
liwadman merged 5 commits into from
Feb 26, 2026
+42 −0
Merged

Adding EKS pod Identities tag control #15

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
3c841cc
Create sts-ProtectEKSPodIdentitiesTags.json
liwadman Feb 26, 2026
7c8b0f8
Rename sts-ProtectEKSPodIdentitiesTags.json to STS-ProtectEKSPodIdent…
liwadman Feb 26, 2026
07554e6
write for STS/EKS control
liwadman Feb 26, 2026
a2e847d
Update reference for EKS pod identity controls
liwadman Feb 26, 2026
a1e6cfb
little better writeup
liwadman Feb 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions Service-specific-controls/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,11 @@
|[Deny deletion and only allow specific roles](Cognito-Deny-deletion-and-only-allow-specific-roles.json) |Prevent accidental or intentional deletion of Cognito user pools or domains, except by specific privileged roles. Replace `[PRIVILEGED_ROLE]` with the actual role name authorized to perform deletions.|


**AWS STS**

| Included Policy | Rationale |
|-------------|-------------|
|[Protect EKS Pod Identity Session Tags](STS-ProtectEKSPodIdentitiesTags.json) | Protect the session tags set by EKS pod identities. This RCP helps ensure that only AWS service principals can assume IAM role sessions with the EKS pod identity specific session tags, while allowing the role-sessions assumed by EKS pod identities to continue to set them as transitive session tags. This pairs well with a service control policy that restricts the ability for someone to use the iam:TagRole and iam:TagUser permission from creating tags on IAM roles and users with the expected keys and valued by EKS pod identities. The logic is that "Only an AWS service Principal can makea request for a role-session with any of those tags, or a session/role/user that already has one of those tags set".|



Expand Down
37 changes: 37 additions & 0 deletions Service-specific-controls/STS-ProtectEKSPodIdentitiesTags.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceOnlyAWSServicePrincipalsAndRolesAssumedByEKSCanSetEKSSessiontTags",
"Effect": "Deny",
"Principal": "*",
"Action": [
"sts:TagSession"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"eks-cluster-arn",
"eks-cluster-name",
"kubernetes-namespace",
"kubernetes-service-account",
"kubernetes-pod-name",
"kubernetes-pod-uid"
]
},
"BoolIfExists": {
"aws:PrincipalIsAwsService": "false"
},
"Null": {
"aws:PrincipalTag/eks-cluster-arn": "true",
"aws:PrincipalTag/eks-cluster-name": "true",
"aws:PrincipalTag/kubernetes-namespace": "true",
"aws:PrincipalTag/kubernetes-service-account": "true",
"aws:PrincipalTag/kubernetes-pod-name": "true",
"aws:PrincipalTag/kubernetes-pod-uid": "true"
}
}
}
]
}