Skip to content

Managed Add-Ons

Amazon EKS add-ons provide supporting operational capabilities to Kubernetes applications. Installing add-ons to an EKS cluster can be done in the Console or using RCTL.

There are ten (10) EKS add-ons available in the Console. Some EKS add-ons are K8s version specific. For information about supported versions, see Amazon EKS Add-Ons.


  • The mandatory add-ons like Amazon VPC CNI, CoreDNS, and Kube-Proxy will be implicitly added to the cluster if they are not specified in the cluster configuration file during EKS cluster creation.

  • With AWS EKS version 1.24 and newer, the Amazon EBS CSI Driver is automatically included with the EKS cluster

  • The Amazon EBS CSI Driver requires IAM permissions

Install Add-Ons


  1. In the Console, select the EKS cluster to install add-ons to.
  2. On the Configuration tab, for EKS Managed Addons, click Add. Create EKS Managed Addon window appears
  3. Select the required add-on and version from the drop-down list

EKS Add-Ons

  1. Users are allowed to customize the addon at the time of addition. Configurable values can be utilized to tailor the add-on according to the user preferences. Click on Optional Configuration Values to add more configurable values. An illustrative example is given below where configuration values are added for the ADOT addon

EKS Add-Ons

  1. Click Save

Here is an example where the Amazon EBS CSI Driver, Amazon VPC CNI and ADOT addons are added

EKS Add-Ons

To add the Guard Duty Addon, user must enable the EKS Runtime Monitoring option in the AWS Console, as illustrated below

EKS Add-Ons

Required IAM Permissions for GuardDuty Managed Add-On

In addition to the IAM permissions documented here, the GuardDuty managed add-on requires the following additional IAM permissions

  • ec2:DescribeVpcEndpoints
  • ec2:CreateVpcEndpoint
  • ec2:DeleteVpcEndpoints


In the EKS cluster specification file, add the 'addons' section and include the appropriate add-ons. The following is an example.

- name: aws-ebs-csi-driver
  serviceAccountRoleARN: arn:aws:iam::123456789012:role/demo-ebs-csi
  version: v1.16.0-eksbuild.1
- name: vpc-cni
  version: v1.12.6-eksbuild.1
- name: kube-proxy
  version: v1.23.16-eksbuild.2


In clusters where the creation of Role permissions is restricted, the addon will be generated with policies inherited from the node.