AWS EKS control plane authentication events referencing unknown account id

Question

I'm posting this here for posterity, since this doesn't seem to be covered in any documentation or discussion anywhere.

After creating an EKS cluster via the AWS web console, I was seeing cloudwatch events originating from the EKS control plane that referenced an account ID that I didn't recognize. It was referencing the ARN of a lambda script role...presumably submitting data to the lambda script.

Example events (sanitized):

time="2022-06-02T17:21:31Z" level=info msg="STS response"
accesskeyid=<key_id> accountid=<account_id>
arn="arn:aws:sts::<account_id>:assumed-role/AWSWesleyClusterManagerLambda-NodeManagerRole-1W15HHFYBJTFL/1654190491588606273"
client="127.0.0.1:59652" method=POST path=/authenticate
session=1654190491588606273 userid=<user_id>

time="2022-06-02T17:21:31Z" level=info msg="access granted"
arn="arn:aws:iam::<account_id>:role/AWSWesleyClusterManagerLambda-NodeManagerRole-1W15HHFYBJTFL"
client="127.0.0.1:59652" groups="[]" method=POST path=/authenticate
uid="aws-iam-authenticator:<account_id>:<user_id>"
username="eks:node-manager"

I googled for any reference to this role name, but didn't turn up any results.

I then opened a case with AWS support to verify if the events were referencing an account owned by AWS. It turns out, they do own the account and use the lambda scripts for monitoring the EKS cluster's health. The account_id on the events could differ, depending on where the EKS cluster is deployed.

Answer 1

The events originating from the EKS control plane that reference an external account_id belong to AWS. They use lambda scripts for monitoring the EKS deployments.