Enhance Amazon EKS network security posture with DNS and admin network policies
Containers Blog
This article explains Amazon EKS's new DNS-based and Admin network policies for enhanced cluster security and external service access control.
- Admin network policies provide cluster-wide, cross-namespace security controls that cannot be overridden
- DNS-based policies use domain names instead of IP addresses for stable, maintainable external access rules
- EKS Auto (v1.29+) supports both policy types; EC2-based EKS supports Admin policies via VPC CNI v1.21.0+
- Use cases include blocking IMDS access, securing multi-tenant AWS service access, and hybrid cloud integration
- Implement deny-by-default baseline policies with label-based segmentation for scalable security
- Combine DNS policies with traditional network policies for defense-in-depth security architecture
- Admin Deny policies take precedence; Pass actions delegate to namespace-scoped policies
- Monitor policy logs and validate DNS policies in staging environments before production deployment
These policies simplify network security management by replacing IP-based rules with stable domain names while enabling centralized, cluster-wide security governance.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
Dec 15
2025
2025
Amazon EKS introduces enhanced network security policies
Dec 15
2025
2025
Amazon EKS introduces enhanced network policy capabilities
Oct 16
2025
2025
New Amazon EKS Auto Mode features for enhanced security, network control, and performance
Apr 14
2026
2026
Navigating enterprise networking challenges with Amazon EKS Auto Mode
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.