AWS Security ChangesHomeSearch

AWS eks high security documentation change

Service: eks · 2025-06-22 · Security-related high

File: eks/latest/userguide/pod-identities.md

Summary

Updated EKS Pod Identity documentation with association limits, IAM role details, agent configuration (ports/IPv6), eventual consistency guidance, proxy considerations, and security group requirements

Security assessment

Added explicit requirement to configure no_proxy settings for pod identity agent IP addresses to prevent credential leakage through proxies. This addresses a potential security vulnerability where sensitive credentials could be exposed through misconfigured proxy routing. Also added security group enforcement mode requirements to ensure proper network isolation.

Diff

diff --git a/eks/latest/userguide/pod-identities.md b/eks/latest/userguide/pod-identities.md
index ce215ac58..31ffb45af 100644
--- a//eks/latest/userguide/pod-identities.md
+++ b//eks/latest/userguide/pod-identities.md
@@ -68 +68 @@ Turn on EKS Pod Identities by completing the following procedures:
-  * You can associate one IAM role to each Kubernetes service account in each cluster. You can change which role is mapped to the service account by editing the EKS Pod Identity association.
+  * **Pod Identity Association Limit** : You can create up to 5,000 EKS Pod Identity associations per cluster to map IAM roles to Kubernetes service accounts.
@@ -70 +70 @@ Turn on EKS Pod Identities by completing the following procedures:
-  * You can only associate roles that are in the same AWS account as the cluster. You can delegate access from another account to the role in this account that you configure for EKS Pod Identities to use. For a tutorial about delegating access and `AssumeRole`, see [Delegate access across AWS accounts using IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html) in the _IAM User Guide_.
+  * **IAM Role Association** : Each Kubernetes service account in a cluster can be associated with one IAM role from the same AWS account as the cluster. To change the role, edit the EKS Pod Identity association. For cross-account access, delegate access to the role using IAM roles. To learn more, see [Delegate access across AWS accounts using IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html) in the _IAM User Guide_.
@@ -72 +72 @@ Turn on EKS Pod Identities by completing the following procedures:
-  * The EKS Pod Identity Agent is required. It runs as a Kubernetes `DaemonSet` on your nodes and only provides credentials to pods on the node that it runs on. For more information about EKS Pod Identity Agent compatibility, see the following section EKS Pod Identity restrictions.
+  * **EKS Pod Identity Agent** : The Pod Identity Agent is required to use EKS Pod Identity. The agent runs as a Kubernetes `DaemonSet` on cluster nodes, providing credentials only to pods on the same node. It uses the node’s `hostNetwork`, occupying port `80` and `2703` on the link-local address (`169.254.170.23` for IPv4, `[fd00:ec2::23]` for IPv6). If IPv6 is disabled in your cluster, disable IPv6 for the Pod Identity Agent. To learn more, see [Disable IPv6 in the EKS Pod Identity Agent](https://docs.aws.amazon.com/eks/latest/userguide/pod-id-agent-config-ipv6.html).
@@ -74 +74 @@ Turn on EKS Pod Identities by completing the following procedures:
-  * Similar to AWS IAM behavior, EKS Pod Identity associations are _eventually consistent_ , and may take several seconds to be effective after the initial API call returns successfully. You must design your applications to account for these potential delays. We recommend that you don’t include Pod Identity association create/updates in the critical, high-availability code paths of your application. Instead, make changes in a separate initialization or setup routine that you run less frequently.
+  * **Eventual Consistency** : EKS Pod Identity associations are eventually consistent, with potential delays of several seconds after API calls. Avoid creating or updating associations in critical, high-availability code paths. Instead, perform these actions in separate, less frequent initialization or setup routines. To learn more, see [Security Groups Per Pod](https://docs.aws.amazon.com/eks/latest/best-practices/sgpp.html) in the _EKS Best Practices Guide_.
@@ -76,9 +76 @@ Turn on EKS Pod Identities by completing the following procedures:
-  * If you are using Security Group for Pods along with Pod Identity Agent, you may need to set the `POD_SECURITY_GROUP_ENFORCING_MODE` Flag for the AWS VPC CNI. For more information on security group for pods considerations, see [Assign security groups to individual Pods](./security-groups-for-pods.html).
-
-  * The EKS Pod Identity Agent uses the `hostNetwork` of the node and it uses port `80` and port `2703` on a link-local address on the node. This address is `169.254.170.23` for IPv4 and `[fd00:ec2::23]` for IPv6 clusters.
-
-If you disable `IPv6` addresses, or otherwise prevent localhost `IPv6` IP addresses, the agent can’t start. To start the agent on nodes that can’t use `IPv6`, follow the steps in [Disable IPv6 in the EKS Pod Identity Agent](./pod-id-agent-config-ipv6.html) to disable the `IPv6` configuration.
-
-  * If your Pods use a proxy, you must ensure you add `169.254.170.23` for IPv4 and `[fd00:ec2::23]` for IPv6 in the `no_proxy`/`NO_PROXY` environment variables injected into the pods. Otherwise requests from the application pods to the `eks-pod-identity-agent` DaemonSets would fail as the requests would be sent to the proxy and the proxy wouldn’t be able to route the IP.
-
-  * To find the suggested version of the Amazon EKS Pod Identity Agent for a Kubernetes version, see [Verify Amazon EKS add-on version compatibility with a cluster](./addon-compat.html).
+  * **Proxy and Security Group Considerations** : For pods using a proxy, add `169.254.170.23` (IPv4) and `[fd00:ec2::23]` (IPv6) to the `no_proxy/NO_PROXY` environment variables to prevent failed requests to the EKS Pod Identity Agent. If using Security Groups for Pods with the AWS VPC CNI, set the `ENABLE_POD_ENI` flag to ‘true’ and the `POD_SECURITY_GROUP_ENFORCING_MODE` flag to ‘standard’. To learn more, see [Assign security groups to individual Pods](https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html).
@@ -91 +83 @@ If you disable `IPv6` addresses, or otherwise prevent localhost `IPv6` IP addres
-To use EKS Pod Identities, the cluster must have a platform version that is the same or later than the version listed in the following table, or a Kubernetes version that is later than the versions listed in the table.
+To use EKS Pod Identity, the cluster must have a platform version that is the same or later than the version listed in the following table, or a Kubernetes version that is later than the versions listed in the table. To find the suggested version of the Amazon EKS Pod Identity Agent for a Kubernetes version, see [Verify Amazon EKS add-on version compatibility with a cluster](./addon-compat.html).