Moving on, let’s look at the other controls for EKS SOC Type 2.
For container security best practices, see our guide on Container Image Security with Wazuh and Trivy.
CC3: Risk Assessment
EKS-Specific Risk Assessment
Identify, evaluate, and document security, operational, and compliance risks specific to Amazon EKS clusters and workloads to ensure that appropriate controls are implemented, monitored, and improved in alignment with SOC 2 Trust Services Criteria.
Responsible Parties:
Primary: Security Team
Supporting: EKS Cluster Owners, Application Owners, DevOps/SRE Team
- Conduct regular security assessments using kube-bench v0.11.1
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job-eks.yaml kubectl logs job/kube-bench-eks - Implement vulnerability scanning with Amazon ECR scanning
- Deploy Trivy operator for comprehensive vulnerability assessment
helm repo add aqua https://aquasecurity.github.io/helm-charts/ helm install trivy-operator aqua/trivy-operator -n trivy-system --create-namespace - Configure AWS Config for continuous compliance monitoring
Container Image Security
Ensure that all container images deployed to Amazon EKS clusters are sourced, built, scanned, and maintained in accordance with organizational security policies to reduce the risk of vulnerabilities, supply chain attacks, and compliance violations, in alignment with SOC 2 Trust Services Criteria.
Responsible Parties:
Primary: Security Team
Supporting: Development Teams, DevOps/SRE Teams, EKS Cluster Owners
- Enable ECR vulnerability scanning on all repositories
- Implement image signing with AWS Signer or Notary v2
- Configure admission controllers to block vulnerable images
- Establish base image hardening standards
CC4: Monitoring Activities
Comprehensive Monitoring Implementation
Implement a comprehensive monitoring framework for Amazon EKS clusters, Kubernetes workloads, and containerized applications to ensure security, availability, and compliance in alignment with SOC 2 Trust Services Criteria.
Responsible Parties:
Primary: Security Team
Supporting: EKS Cluster Owners, DevOps/SRE Teams, Application Owners
- Enable all EKS control plane logs in CloudWatch
aws eks update-cluster-config --name $CLUSTER_NAME \ --logging '{"enable":[{"types":["api","audit","authenticator","controllerManager","scheduler"]}]}' - Deploy AWS CloudTrail for comprehensive API monitoring
- Configure VPC Flow Logs for network traffic analysis
- Implement Container Insights for cluster monitoring
- Deploy Falco for runtime security monitoring
helm repo add falcosecurity https://falcosecurity.github.io/charts helm install falco falcosecurity/falco --set falco.grpc.enabled=true
Security Event Correlation
Enable correlation of security events across Amazon EKS clusters, Kubernetes workloads, container runtimes, and supporting AWS infrastructure to detect complex attack patterns, reduce false positives, and improve incident detection in alignment with SOC 2 Trust Services Criteria.
Responsible Parties:
Primary: Security Team
Supporting: EKS Cluster Owners, DevOps/SRE Teams, Application Security Engineers
- Configure Amazon GuardDuty for EKS threat detection
- Implement AWS Security Hub for centralized security findings
- Deploy custom CloudWatch metrics for security events
- Create security dashboards in CloudWatch, Grafana, Wazuh
CC5: Control Activities
Access Management and Authentication
Ensure that access to Amazon EKS clusters, Kubernetes workloads, and related AWS resources is restricted to authorized individuals, enforced through strong authentication mechanisms, and regularly reviewed in alignment with SOC 2 Trust Services Criteria for Security and Confidentiality.
Responsible Parties:
Primary: Security Team
Supporting: EKS Cluster Owners, DevOps/SRE Teams, Application Owners, HR (for onboarding/offboarding)
- Enable EKS Pod Identity
aws eks create-cluster --name $CLUSTER_NAME \ --authentication-mode API_AND_CONFIG_MAP \ --access-config authenticationMode=API_AND_CONFIG_MAP - Configure IAM Roles for Service Accounts (IRSA) for existing clusters(for old or migrate to EKS Pod Identity)
eksctl utils associate-iam-oidc-provider --cluster $CLUSTER_NAME --approve eksctl create iamserviceaccount --cluster $CLUSTER_NAME --namespace $NAMESPACE \ --name $SERVICE_ACCOUNT --attach-policy-arn $POLICY_ARN --approve - Implement least privilege RBAC policies
- Configure API server endpoint access (private or restricted public)
- Enable multi-factor authentication for human users
Kubernetes Security Hardening
Ensure that all Amazon EKS clusters are configured and maintained according to Kubernetes security hardening best practices to minimize security risks, maintain compliance, and meet SOC 2 Trust Services Criteria for Security and Availability.
Responsible Parties:
Primary: Security Team
Supporting: EKS Cluster Owners, DevOps/SRE Teams
- Deploy Pod Security Standards replacing deprecated PSPs
apiVersion: v1 kind: Namespace metadata: name: secure-namespace labels: pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/warn: restricted - Implement OPA Gatekeeper for policy enforcement
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/refs/tags/v3.20.0/deploy/gatekeeper.yaml - Configure security contexts for all pods (non-root, read-only filesystem)
- Implement resource quotas and limits
CC6: Logical and Physical Access Controls
Network Security Configuration
Ensure that Amazon EKS cluster networking is securely configured and maintained to protect workloads from unauthorized access, minimize the attack surface, and comply with SOC 2 Trust Services Criteria for Security and Confidentiality.
Responsible Parties:
Primary: Security Team
Supporting: EKS Cluster Owners, DevOps/SRE Teams, Network Engineering Team
- Deploy worker nodes in private subnets with NAT gateway for outbound access
- Configure security groups following least privilege principles
- Implement Kubernetes Network Policies using VPC CNI or Calico
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all-default spec: podSelector: {} policyTypes: [Ingress, Egress] - Enable security groups for pods using AWS CNI
- Configure Application Load Balancer with AWS WAF
Service Mesh Implementation (Optional, good to have)
Enhance security, observability, and control of service‑to‑service communication within Amazon EKS clusters through an optional service mesh, ensuring compliance with SOC 2 Trust Services Criteria for Security, Availability, and Confidentiality.
Responsible Parties:
Primary: Security Team
Supporting: EKS Cluster Owners, DevOps/SRE Teams, Application Owners
- Deploy Istio or Linkerd for service-to-service encryption
- Implement mTLS between services
- Configure traffic policies and access controls
CC7: System Operations
Change Management
Ensure that all changes to Amazon EKS clusters, Kubernetes workloads, and supporting infrastructure are authorized, tested, documented, and implemented in a controlled manner to reduce the risk of security incidents, downtime, and non‑compliance, in alignment with SOC 2 Trust Services Criteria for Security, Availability, and Confidentiality
Responsible Parties:
Primary: Security Team
Supporting: EKS Cluster Owners, Security Team, Application Owners
- Implement GitOps workflows using Flux or ArgoCD
flux bootstrap github --owner=$GITHUB_USER --repository=$GITHUB_REPO \ --branch=main --path=./clusters/production - Configure Infrastructure as Code using Terraform or CDK
- Implement CI/CD pipelines with security scanning
- Establish rollback procedures and canary deployments
Configuration Management
Ensure that Amazon EKS clusters, Kubernetes workloads, and supporting AWS infrastructure are configured, maintained, and monitored according to approved baselines to prevent unauthorized changes, maintain security, and support SOC 2 Trust Services Criteria for Security, Availability, and Confidentiality.
Responsible Parties:
Primary: DevOps/SRE Team
Supporting: EKS Cluster Owners, Security Team, Compliance Team
- Deploy cluster-autoscaler or karpenter(preferred) for dynamic scaling
- Configure HPA and VPA for workload optimization
- Implement secrets management using AWS Secrets Manager
kubectl apply -f https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/deployment/aws-provider-installer.yaml
CC8: Change Management
Automated Deployment Pipeline
Ensure that application and infrastructure changes to Amazon EKS environments are deployed through a secure, automated pipeline that enforces security, compliance, and quality checks before changes reach production, in alignment with SOC 2 Trust Services Criteria for Security, Availability, and Confidentiality.
Responsible Parties:
Primary: DevOps/SRE Team
Supporting: Security Team, EKS Cluster Owners, Application Owners
- Implement automated testing in CI/CD pipelines
- Configure approval gates for production deployments
- Deploy canary releases with automated rollback
- Implement configuration drift detection using AWS Config
Version Management
Ensure that all Amazon EKS clusters, Kubernetes components, container runtimes, and supporting infrastructure run on supported and secure versions, and that upgrades are managed in a controlled manner to reduce security risks, maintain stability, and comply with SOC 2 Trust Services Criteria for Security and Availability.
Responsible Parties:
Primary: DevOps/SRE Team
Supporting: Security Team, EKS Cluster Owners, Application Owners
- Maintain EKS version currency (N-2 supported versions)
- Plan regular cluster upgrades following AWS recommendations
- Test addons compatibility before upgrades
- Document upgrade procedures and rollback plans
CC9: Risk Mitigation
Data Encryption and Protection
Ensure that all sensitive data handled by Amazon EKS clusters, Kubernetes workloads, and supporting AWS services is encrypted and protected in transit and at rest to maintain confidentiality, integrity, and compliance with SOC 2 Trust Services Criteria for Security, Confidentiality, and Privacy.
Responsible Parties:
Primary: Security Team
Supporting: EKS Cluster Owners, DevOps/SRE Teams, Compliance Team
- Enable KMS encryption for Kubernetes secrets
aws eks create-cluster --name $CLUSTER_NAME \ --encryption-config resources=secrets,provider={keyArn=$KMS_KEY_ARN} - Configure EBS CSI driver with encrypted storage classes
apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: ebs-encrypted provisioner: ebs.csi.aws.com parameters: type: gp3 encrypted: "true" kmsKeyId: alias/ebs-encryption-key - Implement envelope encryption for application data
- Enable encryption in transit for all communications
To be continued…..
Series Navigation:
- Part 1: Foundational Controls - Basic security controls and access management
- Part 2: Advanced Controls (you are here) - Risk assessment and monitoring