With AWS IAM Roles for service accounts (https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) you can now manage all IAM role access through container service accounts, so the instance metadata endpoint is a security liability. AWS recommends disabling access to it (https://docs.aws.amazon.com/eks/latest/userguide/restrict-ec2-credential-access.html) but you can use Calico to do it also.
Install calico https://docs.aws.amazon.com/eks/latest/userguide/calico.html and calicoctl https://github.com/projectcalico/calicoctl. Set up the environment variables so calico can speak to EKS
export CALICO_DATASTORE_TYPE=kubernetes
export CALICO_KUBECONFIG=~/.kube/config