AWS eks medium security documentation change
Summary
Updated SCP example documentation with note about avoiding ec2:Owner context key, changed section headers to lowercase, and added ODCR deployment control section
Security assessment
The change explicitly warns against using ec2:Owner context key in security policies, which could lead to AMI validation bypass if misconfigured. This addresses a potential security misconfiguration by providing correct policy examples.
Diff
diff --git a/eks/latest/userguide/auto-controls.md b/eks/latest/userguide/auto-controls.md index 72c5ce99e..2b4a3c2de 100644 --- a//eks/latest/userguide/auto-controls.md +++ b//eks/latest/userguide/auto-controls.md @@ -5 +5 @@ -Example SCP to block all AMIs except for EKS Auto Mode AMIsEKS Auto Mode AMI Accounts +Example SCP to block all AMIs except for EKS Auto Mode AMIsEKS Auto Mode AMI accounts @@ -11 +11 @@ To contribute to this user guide, choose the **Edit this page on GitHub** link t -# Update Organization Controls for EKS Auto Mode +# Update organization controls for EKS Auto Mode @@ -22,0 +23,2 @@ The SCP below prevents calling `ec2:RunInstances` unless the AMI belongs to the +###### Note + @@ -46 +48 @@ It’s important **not** to use the `ec2:Owner` context key. Amazon owns the EKS -## EKS Auto Mode AMI Accounts +## EKS Auto Mode AMI accounts @@ -93 +95 @@ Encrypt root volumes -How it works +Control ODCR Deployment