Maintaining Amazon Elastic Kubernetes Service (Amazon EKS) cluster access during AWS Landing Zone (LZ) Migrations

6 minute read

Content level: Intermediate

Migrating your AWS account to a new landing zone can lock you out of your Amazon EKS clusters. New SSO permission sets create different role names that break existing access.

This guide helps you:

Maintain access- Keep clusters accessible during migration
Emergency backup - Works independently of SSO systems
Avoid downtime - Prevent operational disruptions
Safe migration - Reliable fallback for peace of mind

Introduction

AWS account migrations to new landing zones disrupt Amazon Elastic Kubernetes Service (Amazon EKS) cluster access when SSO role ARNs change. New permission sets create different role suffixes that invalidate existing cluster config maps, blocking administrator access. This article explains how to implement a Breakglass IAM Role Strategy to maintain uninterrupted Amazon EKS cluster access during your landing zone migration leveraging Access Entries.

This approach provides emergency access during migrations by adding a dedicated IAM role as a Breakglass mechanism. This creates a reliable fallback that's independent of SSO systems and ensures you can proceed with migration without disruptions.

Understanding authentication modes during migration

Amazon EKS now offers Access Entries - a streamlined, API-driven way to manage cluster authentication that replaces the legacy aws-auth ConfigMap approach.

Access Entries directly link IAM principals (users, roles) to Kubernetes permissions.

Grant an IAM role access to your EKS cluster

aws eks create-access-entry \
    --cluster-name my-cluster \
    --principal-arn arn:aws:iam::123456789012:role/<Your Role> \
    --type STANDARD \
    --kubernetes-groups system:masters

That's it! No ConfigMap editing, no kubectl required.

Learn more:

Why use a Breakglass role?

SSO independence - Works even when Identity Center is unavailable
Cross-environment compatibility - Can be assumed from either your current or new landing zone
Immediate emergency access - Provides instant cluster access during migration issues
Persistent availability - Remains accessible throughout the entire migration process

Setting up your Breakglass role

Step 1: Create the Breakglass IAM role

Create the role trust policy

cat > breakglass-trust-policy.json << EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<CURRENT-ACCOUNT>:root",
          "arn:aws:iam::<NEW-LZ-ACCOUNT>:root"
        ]
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }
  ]
}
EOF

Create the IAM role

aws iam create-role \
  --role-name EKS-Breakglass-Admin \
  --assume-role-policy-document file://breakglass-trust-policy.json \
  --description "Emergency Breakglass access for EKS cluster during LZ migration"

Attach the required policies

aws iam attach-role-policy \
  --role-name EKS-Breakglass-Admin \
  --policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy

Step 2: Enable Access Entries on Your Cluster

Switch to API-based authentication mode:

aws eks update-cluster-config \
  --name <cluster-name> \
  --access-config authenticationMode=API

Step 3: Create Access Entries for your Breakglass Role

Create Access Entry for current account Breakglass role:

aws eks create-access-entry \
  --cluster-name <cluster-name> \
  --principal-arn "arn:aws:iam::CURRENT-ACCOUNT:role/EKS-Breakglass-Admin" \
  --type STANDARD \
  --kubernetes-groups "system:masters"

Associate with Amazon EKS managed admin policy:

aws eks associate-access-policy \
  --cluster-name <cluster-name> \
  --principal-arn "arn:aws:iam::CURRENT-ACCOUNT:role/EKS-Breakglass-Admin" \
  --policy-arn "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" \
  --access-scope type=cluster

Associate with Amazon EKS managed admin policy

aws eks associate-access-policy \
  --cluster-name <cluster-name> \
  --principal-arn "arn:aws:iam::CURRENT-ACCOUNT:role/EKS-Breakglass-Admin" \
  --policy-arn "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" \
  --access-scope type=cluster

Create Access Entry for new landing zone account Breakglass role:

aws eks create-access-entry \
  --cluster-name <cluster-name> \
  --principal-arn "arn:aws:iam::NEW-LZ-ACCOUNT:role/EKS-Breakglass-Admin" \
  --type STANDARD \
  --kubernetes-groups "system:masters"

Associate policy for new landing zone role:

Associate policy for new landing zone role:
aws eks associate-access-policy \
  --cluster-name <cluster-name> \
  --principal-arn "arn:aws:iam::NEW-LZ-ACCOUNT:role/EKS-Breakglass-Admin" \
  --policy-arn "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" \
  --access-scope type=cluster

Step 4: Test your Breakglass access

Assume the Breakglass Role

aws sts assume-role \
  --role-arn "arn:aws:iam::CURRENT-ACCOUNT:role/EKS-Breakglass-Admin" \
  --role-session-name "breakglass-test" \
  --serial-number "arn:aws:iam::CURRENT-ACCOUNT:mfa/username" \
  --token-code "123456"

Configure kubectl credentials

aws eks update-kubeconfig \
  --region <region> \
  --name <cluster-name> \
  --role-arn "arn:aws:iam::CURRENT-ACCOUNT:role/EKS-Breakglass-Admin"

Verify cluster-wide permissions

kubectl auth can-i "*" "*" --all-namespaces

Confirm cluster access

kubectl get nodes

Migration process with Breakglass protection

Step 5: Pre-migration SSO configuration

Add new landing zone SSO permission set ARNs

aws eks create-access-entry \
  --cluster-name <cluster-name> \
  --principal-arn "arn:aws:sso:::permissionSet/ssoins-NEW-INSTANCE-ID/ps-ADMIN-PS-ID" \
  --type STANDARD \
  --username "sso-admin-new:{{SessionName}}" \
  --kubernetes-groups "system:masters"

Associate with admin policy

aws eks associate-access-policy \
  --cluster-name <cluster-name> \
  --principal-arn "arn:aws:sso:::permissionSet/ssoins-NEW-INSTANCE-ID/ps-ADMIN-PS-ID" \
  --policy-arn "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" \
  --access-scope type=cluster

Step 6: Post-migration cleanup

Remove old SSO access entries

aws eks delete-access-entry \
  --cluster-name <cluster-name> \
  --principal-arn "arn:aws:sso:::permissionSet/ssoins-OLD-INSTANCE-ID/ps-ADMIN-PS-ID"

Remove old account Breakglass role access entry

aws eks delete-access-entry \
  --cluster-name <cluster-name> \
  --principal-arn "arn:aws:iam::CURRENT-ACCOUNT:role/EKS-Breakglass-Admin"

Enhanced security configuration

For production environments, enhance your Breakglass role security with additional restrictions:

Breakglass role policy with IP restrictions

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::CURRENT-ACCOUNT:user/emergency-user-1",
          "arn:aws:iam::CURRENT-ACCOUNT:user/emergency-user-2",
          "arn:aws:iam::NEW-LZ-ACCOUNT:user/emergency-user-1"
        ]
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        },
        "IpAddress": {
          "aws:SourceIp": ["203.0.113.0/24", "198.51.100.0/24"]
        }
      }
    }
  ]
}

Validation commands

Test current account Breakglass

aws eks describe-access-entry \
  --cluster-name $CLUSTER_NAME \
  --principal-arn "arn:aws:iam::${CURRENT_ACCOUNT}:role/EKS-Breakglass-Admin"

Test new account Breakglass

aws eks describe-access-entry \
  --cluster-name $CLUSTER_NAME \
  --principal-arn "arn:aws:iam::${NEW_ACCOUNT}:role/EKS-Breakglass-Admin"

Conclusion

After implementing this Breakglass strategy, you can safely proceed with your Landing Zone migration with reliable emergency access to your Amazon EKS clusters. The Breakglass role provides a safety net independent of SSO systems, ensuring continuous cluster management capability throughout the migration process.

Post-migration security checklist:

Remove old SSO access entries from Access Entries
Remove the old account Breakglass Role Access Entry
Update your Access Entries to reflect only current landing zone principals
Document the Breakglass Role access procedure for your team
Regularly audit Breakglass Role usage through CloudTrail logs

Remember: The Breakglass role should only be used for emergency access and migration scenarios, not for day-to-day operations.

Additional resources

For more detailed information about Amazon EKS authentication and access management:

Topics: Infrastructure as Code Containers Security, Identity, & Compliance
Tags: Landing Zone Accelerator on AWS Amazon EKS Anywhere AWS Cloud Security IAM Policies
Language: English

EXPERT

samratmk

published 11 days ago71 views

1 Comment

Great article!

User-2606695

replied 11 days ago

Relevant content

Local Zone & Wavelength Zone Migration Guide
EXPERT
Brianna Rosentrater
published 17 days ago
How to Upgrade Your EKS Cluster to the Latest Version?
EXPERT
dariush
published a year ago
AWS re:Invent 2024 - Automate your entire Kubernetes cluster with Amazon EKS Auto Mode
EXPERT
Henrique Santana
published 9 months ago
Migration of AWS Accounts from One Landing Zone account to Another Landing Zone
rePost-User-1931321
asked a year ago
EKS SaaS Reference Architecture landing page access denied
Yong Wang
asked 2 years ago
Can't update Landing Zone-managed SCPs with the bulk policy migrator scripts
PR
asked 2 years ago
How do I add new subnets to an existing Amazon EKS cluster?
AWS OFFICIALUpdated 5 months ago
How do I troubleshoot cluster creation errors in Amazon EKS?
AWS OFFICIALUpdated 2 years ago
How do I lock down API access to specific IP addresses in my Amazon EKS cluster?
AWS OFFICIALUpdated a year ago
How do I upgrade my Amazon EKS cluster and add-ons?
AWS OFFICIALUpdated 11 days ago