[WIP] Create hardened EKS cluster following best practices

[Copilot]

Hardened EKS Cluster Implementation Plan

As a security architect at a SOC 2 compliant organization supporting GDPR, I'll create a CIS Kubernetes Benchmark compliant EKS cluster with comprehensive security controls.

Phase 1: Core EKS Component Creation

• Create EKS component directory structure (pulumi/components/aws/eks/)
• Implement main EKS component (eks.py) with:
  • Private-only API endpoint (no public access)
  • Customer-managed KMS key for secrets encryption
  • All CloudWatch log types enabled (api, audit, authenticator, controllerManager, scheduler)
  • EKS cluster with encryption configuration
  • Cluster security group with minimal permissions
  • IRSA (IAM Roles for Service Accounts) OIDC provider setup

Phase 2: Node Group Security Configuration

• Create managed node groups with:
  • IMDSv2 required (hop limit = 1)
  • Encrypted EBS volumes via launch template
  • Private subnet placement only
  • Security group with strict ingress/egress rules
  • Proper IAM role with minimal permissions
  • SSM access for secure node management

Phase 3: Kubernetes Security Policies

• Create ConfigMap for Pod Security Standards (restricted profile)
• Configure admission controller settings
• Set up network policy support (Calico or AWS VPC CNI network policies)

Phase 4: RBAC and IAM Configuration

• Create cluster admin IAM role
• Configure aws-auth ConfigMap for IAM authentication
• Set up IRSA service account with proper trust policies
• Create example IRSA role for application workloads

Phase 5: Monitoring and Observability

• Enable CloudWatch Container Insights
• Configure CloudWatch Log Group with retention
• Add necessary IAM policies for monitoring

Phase 6: Compliance and Tagging

• Implement comprehensive resource tagging (SOC2, GDPR compliance)
• Add required compliance tags (DataClassification, Compliance, Owner, etc.)

Phase 7: Component Testing

• Create unit tests (tests/test_eks.py)
• Test basic cluster creation
• Test with various security configurations
• Verify all outputs are correctly set

Phase 8: Environment Instantiation

• Create staging environment EKS instantiation (pulumi/environments/aws/staging/50-eks/)
• Configure Pulumi.yaml with local path reference
• Add SDK configuration files
• Document usage and security features

Phase 9: Documentation

• Create comprehensive README for the EKS component
• Document security features and compliance mappings
• Add example configurations
• Document IRSA setup and usage

Security Notes for SOC2/GDPR Compliance:

• Private API endpoints prevent unauthorized external access
• IMDSv2 prevents SSRF attacks on node metadata
• Encrypted secrets and EBS volumes protect data at rest
• Comprehensive logging supports audit requirements
• Pod Security Standards enforce container security policies
• Network policies enable microsegmentation
• Proper tagging enables data classification and tracking

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Create eks cluster</issue_title>
<issue_description>@copilot
Create a hardened EKS cluster following CIS Kubernetes Benchmark and AWS best practices:

1. Security Requirements:

   • Private-only API endpoint (no public access)
   • Encrypted EBS volumes for nodes
   • Pod Security Standards enforced (restricted profile)
   • Network policies enabled
   • Secrets encryption with customer-managed KMS key
   • Enable all CloudWatch log types
   • IMDSv2 required on all nodes

2. RBAC Configuration:

   • Create cluster admin role
   • Configure AWS IAM Authenticator
   • Set up IRSA (IAM Roles for Service Accounts)

3. Compliance:

   • Tag all resources appropriately
   • Enable AWS Config rules for EKS
   • Configure GuardDuty for EKS protection
   • Set up Falco or similar runtime security

4. Monitoring:

   • CloudWatch Container Insights
   • Prometheus and Grafana setup
   • AWS X-Ray for distributed tracing
     </issue_description>

<agent_instructions>take on the role of a security architect who works at a SOC 2 org that also needs to support GDPR</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes Create eks cluster #3

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[j-monroe]

Looks good going to prod