AWS Security ChangesHomeSearch

AWS eks medium security documentation change

Service: eks · 2025-06-22 · Security-related medium

File: eks/latest/userguide/auto-controls.md

Summary

Updated SCP example documentation with note about avoiding ec2:Owner context key, changed section headers to lowercase, and added ODCR deployment control section

Security assessment

The change explicitly warns against using ec2:Owner context key in security policies, which could lead to AMI validation bypass if misconfigured. This addresses a potential security misconfiguration by providing correct policy examples.

Diff

diff --git a/eks/latest/userguide/auto-controls.md b/eks/latest/userguide/auto-controls.md
index 72c5ce99e..2b4a3c2de 100644
--- a//eks/latest/userguide/auto-controls.md
+++ b//eks/latest/userguide/auto-controls.md
@@ -5 +5 @@
-Example SCP to block all AMIs except for EKS Auto Mode AMIsEKS Auto Mode AMI Accounts
+Example SCP to block all AMIs except for EKS Auto Mode AMIsEKS Auto Mode AMI accounts
@@ -11 +11 @@ To contribute to this user guide, choose the **Edit this page on GitHub** link t
-# Update Organization Controls for EKS Auto Mode
+# Update organization controls for EKS Auto Mode
@@ -22,0 +23,2 @@ The SCP below prevents calling `ec2:RunInstances` unless the AMI belongs to the
+###### Note
+
@@ -46 +48 @@ It’s important **not** to use the `ec2:Owner` context key. Amazon owns the EKS
-## EKS Auto Mode AMI Accounts
+## EKS Auto Mode AMI accounts
@@ -93 +95 @@ Encrypt root volumes
-How it works
+Control ODCR Deployment