AWS Security ChangesHomeSearch

AWS eks medium security documentation change

Service: eks · 2025-04-03 · Security-related medium

File: eks/latest/userguide/windows-support.md

Summary

Added documentation about EKS Access Entries requirements for Windows nodes, including IAM role considerations and CLI command example for creating EC2_WINDOWS type access entries. Expanded prerequisites section with Windows IPAM configuration steps and RBAC permission checks.

Security assessment

The changes explicitly address IAM role requirements, access entry types (EC2_WINDOWS), and RBAC permission groups. These are security controls for managing cluster access and node permissions.

Diff

diff --git a/eks/latest/userguide/windows-support.md b/eks/latest/userguide/windows-support.md
index 7bf6ba457..01dbebe30 100644
--- a//eks/latest/userguide/windows-support.md
+++ b//eks/latest/userguide/windows-support.md
@@ -5 +5 @@
-Enable Windows supportDeploy Windows PodsSupport higher Pod density on Windows nodes
+ConsiderationsPrerequisitesEnable Windows supportDeploy Windows PodsSupport higher Pod density on Windows nodes
@@ -12,0 +13,4 @@ To contribute to this user guide, choose the **Edit this page on GitHub** link t
+Learn how to enable and manage Windows support for your Amazon EKS cluster to run Windows containers alongside Linux containers.
+
+## Considerations
+
@@ -46,0 +51,15 @@ Before deploying Windows nodes, be aware of the following considerations.
+  * Considerations for EKS Access Entries
+
+    * If you use a different Node IAM Role for Windows instances, EKS will automatically create the required Windows Access Entry.
+
+    * Access Entries for use with Windows nodes need the type of `EC2_WINDOWS`. For more information, see [Create access entries](./creating-access-entries.html).
+
+To create an access entry for a Windows node:
+        
+                aws eks create-access-entry --cluster-name my-cluster --principal-arn arn:aws:iam::111122223333:role/<role-name> --type EC2_Windows
+
+
+
+
+## Prerequisites
+
@@ -85 +104,3 @@ If the policy is attached, as it is in the previous output, skip the next step.
-  3. Create a file named `vpc-resource-controller-configmap.yaml` with the following contents.
+  3. Update the VPC CNI ConfigMap to enable Windows IPAM:
+
+    1. Create a file named `vpc-resource-controller-configmap.yaml` with the following contents.
@@ -95 +116 @@ If the policy is attached, as it is in the previous output, skip the next step.
-  4. Apply the `ConfigMap` to your cluster.
+    2. Apply the `ConfigMap` to your cluster.
@@ -99 +120,3 @@ If the policy is attached, as it is in the previous output, skip the next step.
-  5. Verify that your `aws-auth` `ConfigMap` contains a mapping for the instance role of the Windows node to include the `eks:kube-proxy-windows` RBAC permission group. You can verify by running the following command.
+  4. If your cluster has the authentication mode set to enable the `aws-auth` configmap:
+
+     * Verify that your `aws-auth` `ConfigMap` contains a mapping for the instance role of the Windows node to include the `eks:kube-proxy-windows` RBAC permission group. You can verify by running the following command.
@@ -121,0 +145,2 @@ You should see `eks:kube-proxy-windows` listed under groups. If the group isn’
+  5. If your cluster has the authentication mode set to disable the `aws-auth` configmap, then you can use EKS Access Entries. Create a new node role for use with Windows instances, and EKS will automatically create an access entry of type `EC2_WINDOWS`.
+