How to Satisfy PCI DSS 8.2.1 for unique accounts when Karpenter managed Amazon Elastic Kubernetes Service (EKS) nodes are accessed

Problem Statement: How do we satisfy PCI DSS 8.2.1 requirement for unique accounts when accessing nodes managed by Karpenter.

Solution:

• Karpenter itself does not directly access nodes, but it can configure SSH or AWS Systems Manager Session Manager (SSM) for node access. Using SSM for node access is the recommended approach, as it provides a secure and auditable way to access instances. You can follow the AWS documentation here to install SSM Agent on Amazon EKS worker nodes
• Create individual IAM roles for each user or group that needs to access the Amazon EKS nodes. Every IAM role has a unique ID, and all SSM API calls are logged in AWS CloudTrail, providing an audit trail. You can additionally attach an IAM policy to these roles that allows the ssm:StartSession action only when the SessionName request tag is not equal to a specific value (e.g., "XXXX" in your example). This ensures that each session has a unique name, effectively providing a unique account for each access.

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": "ssm:StartSession",
    "Resource": "arn:aws:ssm:*:*:session/*",
    "Condition": {
                  "StringNotEquals": {
                  "aws:RequestTag/SessionName": "XXXX"
                  }
    }
  }
  ]
}

By implementing this solution, you can satisfy the PCI DSS 8.2.1 requirement, which states that "Assign all users a unique ID before allowing them to access system components or cardholder data." In this case, the unique ID is the combination of the IAM role/user ID and the unique session name enforced by the IAM policy. It's important to note that this solution addresses the unique account aspect of the requirement, but you may need to consider other PCI DSS requirements related to access controls, logging, and monitoring to ensure comprehensive compliance.