diff --git a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/resources/psp/pod-security-policy.yaml b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/resources/psp/pod-security-policy.yaml
index 5e5efdc20..2c6c0dcd4 100644
--- a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/resources/psp/pod-security-policy.yaml
+++ b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/resources/psp/pod-security-policy.yaml
@@ -81,6 +81,40 @@ spec:
         max: 65535
   readOnlyRootFilesystem: false
 ---
+# aws-node requires the NET_RAW capability. To ensure this is restricted to one deployment this PSP
+# was created.
+# Relevant until https://github.com/aws/amazon-vpc-cni-k8s/issues/796 is merged.
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: aws-node
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+  labels:
+    kubernetes.io/cluster-service: "true"
+spec:
+  privileged: true
+  allowPrivilegeEscalation: true
+  allowedCapabilities:
+    - NET_BIND_SERVICE
+    - NET_ADMIN
+  volumes:
+  - '*'
+  hostNetwork: true
+  hostPorts:
+  - min: 0
+    max: 65535
+  hostIPC: true
+  hostPID: true
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -104,6 +138,17 @@ rules:
   - restricted
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: psp:aws-node
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - aws-node
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: default:restricted
@@ -134,9 +179,6 @@ subjects:
 - kind: ServiceAccount
   name: kube-proxy
   namespace: kube-system
-- kind: ServiceAccount
-  name: aws-node
-  namespace: kube-system
 - kind: ServiceAccount
   name: sonarqube-sonarqube
   namespace: sonarqube
@@ -170,3 +212,16 @@ subjects:
 - kind: Group
   name: system:serviceaccounts:opa
   apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: default:aws-node
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: psp:aws-node
+subjects:
+- kind: ServiceAccount
+  name: aws-node
+  namespace: kube-system