In this post, we will explore how to secure an Amazon EKS cluster by applying infrastructure-as-code best practices and policy-driven guardrails. We will use Terraform to provision our infrastructure and Kyverno to enforce security policies at the cluster level. 1. The Foundation: Infrastructure as Code To minimize our attack surface, we will deploy a private EKS cluster. The control plane will be inaccessible from the public internet, forcing all management traffic through a secure VPN tunnel. Our Terraform setup includes: VPC Networking: A /16 VPC with three /24 private subnets and one public subnet for ingress. Bastion-OpenVPN: A Terraform module to provide a secure gateway into our private environment. EKS NodeGroups: Managed worker nodes with defined instance types. Note: This setup is for demonstration. For production-grade architectures, always refer to aws-ia to align with AWS best practices. 2.…