Views:
Profile applicability: Level 1 - Cluster / Control Plane
AmazonEKSNetworkingPolicy is an AWS-managed add-on that provides native support for Kubernetes NetworkPolicy enforcement within Amazon Elastic Kubernetes Service (EKS) clusters. It enables organizations to define and apply fine-grained, pod-level network access controls that regulate traffic between workloads and external endpoints. Built on an AWS-optimized implementation of Calico, the add-on integrates seamlessly with the EKS control plane to deliver a secure and scalable approach to network segmentation without requiring manual CNI plugin installation. By leveraging AmazonEKSNetworkingPolicy, enterprises can strengthen their cluster security posture, enforce zero-trust networking principles, and ensure compliance with organizational and regulatory access control standards.
By default, all pod to pod traffic within a cluster is allowed. Network Policy creates a pod-level firewall that can be used to restrict traffic between sources. Pod traffic is restricted by having a Network Policy that selects it (through the use of labels). Once there is any Network Policy in a namespace selecting a particular pod, that pod will reject any connections that are not allowed by any Network Policy. Other pods in the namespace that are not selected by any Network Policy will continue to accept all traffic.
Implementing AmazonEKSNetworkingPolicy provides significant security and operational benefits for Amazon EKS environments by introducing native, AWS-managed enforcement of Kubernetes NetworkPolicies. This capability allows organizations to implement fine-grained, pod-level network segmentation, reducing the risk of lateral movement and unauthorized communication within clusters.
By leveraging an AWS-optimized Calico engine, AmazonEKSNetworkingPolicy eliminates the complexity of manually deploying and managing third-party CNIs while ensuring consistent policy enforcement aligned with Kubernetes standards.
The add-on enhances compliance with zero-trust networking principles, supports regulatory frameworks that require network isolation, and provides centralized visibility and control over intra-cluster communication. Ultimately, it helps organizations improve their security posture, reduce operational overhead, and simplify governance in modern containerized environments.
Note
Note
By default, Network Policy is disabled.

Impact

The implementation of AmazonEKSNetworkingPolicy has a substantial impact on the overall security, compliance, and operational efficiency of Amazon EKS environments. By enabling native enforcement of Kubernetes NetworkPolicies, it strengthens the cluster’s defense-in-depth strategy through precise control of pod-to-pod and pod-to-external communication.
This reduces the attack surface, mitigates the risk of lateral movement, and ensures that only explicitly authorized traffic is permitted within the cluster. From a compliance perspective, it supports adherence to zero-trust security frameworks and organizational policies that mandate network segmentation and isolation.
Operationally, AmazonEKSNetworkingPolicy simplifies the management of network security by providing an AWS-managed, scalable, and fully integrated solution—allowing teams to focus on application innovation rather than complex network configurations.
Note
Note
Enabling Network Policy enforcement consumes additional resources in nodes. Specifically, it increases the memory footprint of the kube-system process by approximately 128MB, and requires approximately 300 millicores of CPU.

Audit

Check for the following is true:
export CLUSTER_NAME=<your cluster name>
aws eks describe-addon --cluster-name ${CLUSTER_NAME} --addon-name vpc-cni --query addon.configurationValues
Output should read:
"{\"enableNetworkPolicy\":\"true\"}"

Remediation

Make sure Amazon VPC CNI is added and vpc-cni is active and upgraded to appropriate version in clusters Add-Ons. To update add-on run the following statement at the AWS CLI:
aws eks update-addon --cluster-name $CLUSTER_NAME --addon-name vpc-cni --configuration-values '{"enableNetworkPolicy":"true"}'