AWS Security ChangesHomeSearch

AWS eks documentation change

Service: eks · 2025-06-25 · Documentation low

File: eks/latest/userguide/workloads-add-ons-available-eks.md

Summary

Updated link formatting for multiple IAM policy references (AmazonS3FullAccess, AWSXrayWriteOnlyAccess, CloudWatchAgentServerPolicy)

Security assessment

Changes only modify link syntax while maintaining existing security guidance about IAM policy requirements. No new security issues are introduced or addressed.

Diff

diff --git a/eks/latest/userguide/workloads-add-ons-available-eks.md b/eks/latest/userguide/workloads-add-ons-available-eks.md
index 52911e6ac..f321b648f 100644
--- a//eks/latest/userguide/workloads-add-ons-available-eks.md
+++ b//eks/latest/userguide/workloads-add-ons-available-eks.md
@@ -209 +209 @@ This add-on uses the IAM roles for service accounts capability of Amazon EKS. Fo
-The IAM role that is created will require a policy that gives access to S3. Follow the [Mountpoint IAM permissions recommendations](https://github.com/awslabs/mountpoint-s3/blob/main/doc/CONFIGURATION.md#iam-permissions) when creating the policy. Alternatively, you may use the AWS managed policy [AmazonS3FullAccess](https://console.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/AmazonS3FullAccess$jsonEditor), but this managed policy grants more permissions than are needed for Mountpoint.
+The IAM role that is created will require a policy that gives access to S3. Follow the [Mountpoint IAM permissions recommendations](https://github.com/awslabs/mountpoint-s3/blob/main/doc/CONFIGURATION.md#iam-permissions) when creating the policy. Alternatively, you may use the AWS managed policy link:iam/home?#/policies/arn:aws:iam::aws:policy/AmazonS3FullAccess$jsonEditor[AmazonS3FullAccess,type="console"], but this managed policy grants more permissions than are needed for Mountpoint.
@@ -354 +354 @@ The Amazon EKS add-on name is `amazon-cloudwatch-observability`.
-This add-on uses the IAM roles for service accounts capability of Amazon EKS. For more information, see [IAM roles for service accounts](./iam-roles-for-service-accounts.html). The permissions in the [AWSXrayWriteOnlyAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess) and [CloudWatchAgentServerPolicy](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy) AWS managed policies are required. You can create an IAM role, attach the managed policies to it, and annotate the Kubernetes service account used by the add-on with the following command. Replace `my-cluster` with the name of your cluster and `AmazonEKS_Observability_role` with the name for your role. This command requires that you have [eksctl](https://eksctl.io) installed on your device. If you need to use a different tool to create the role, attach the policy to it, and annotate the Kubernetes service account, see [Assign IAM roles to Kubernetes service accounts](./associate-service-account-role.html).
+This add-on uses the IAM roles for service accounts capability of Amazon EKS. For more information, see [IAM roles for service accounts](./iam-roles-for-service-accounts.html). The permissions in the link:iam/home#/policies/arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess[AWSXrayWriteOnlyAccess,type="console"] and link:iam/home#/policies/arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy[CloudWatchAgentServerPolicy,type="console"] AWS managed policies are required. You can create an IAM role, attach the managed policies to it, and annotate the Kubernetes service account used by the add-on with the following command. Replace `my-cluster` with the name of your cluster and `AmazonEKS_Observability_role` with the name for your role. This command requires that you have [eksctl](https://eksctl.io) installed on your device. If you need to use a different tool to create the role, attach the policy to it, and annotate the Kubernetes service account, see [Assign IAM roles to Kubernetes service accounts](./associate-service-account-role.html).