AWS Security ChangesHomeSearch

AWS eks medium security documentation change

Service: eks · 2025-07-13 · Security-related medium

File: eks/latest/userguide/iam-roles-for-service-accounts.md

Summary

Added warnings about container security boundaries and IMDS access

Security assessment

Explicitly highlights risks of shared node permissions and clarifies credential isolation requirements. Mitigates potential misconfiguration leading to privilege escalation.

Diff

diff --git a/eks/latest/userguide/iam-roles-for-service-accounts.md b/eks/latest/userguide/iam-roles-for-service-accounts.md
index 863a067fd..c664e77c3 100644
--- a//eks/latest/userguide/iam-roles-for-service-accounts.md
+++ b//eks/latest/userguide/iam-roles-for-service-accounts.md
@@ -1 +1 @@
-[](/pdfs/eks/latest/userguide/eks-ug.pdf#iam-roles-for-service-accounts "Open PDF")[](https://github.com/awsdocs/amazon-eks-user-guide/tree/mainline/latest/ug/aws-access/iam-roles-for-service-accounts.xml "Edit this page on GitHub")
+[](/pdfs/eks/latest/userguide/eks-ug.pdf#iam-roles-for-service-accounts "Open PDF")[](https://github.com/awsdocs/amazon-eks-user-guide/tree/mainline/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc "Edit this page on GitHub")
@@ -19 +19,8 @@ IAM roles for service accounts provide the following benefits:
-  * **Credential isolation** – A Pod’s containers can only retrieve credentials for the IAM role that’s associated with the service account that the container uses. A container never has access to credentials that are used by other containers in other Pods. When using IAM roles for service accounts, the Pod’s containers also have the permissions assigned to the [Amazon EKS node IAM role](./create-node-role.html), unless you block Pod access to the [Amazon EC2 Instance Metadata Service (IMDS)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html). For more information, see [Restrict access to the instance profile assigned to the worker node](https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node).
+  * **Credential isolation** – When access to the [Amazon EC2 Instance Metadata Service (IMDS)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html) is restricted, a Pod’s containers can only retrieve credentials for the IAM role that’s associated with the service account that the container uses. A container never has access to credentials that are used by other containers in other Pods. If IMDS is not restricted, the Pod’s containers also have access to the [Amazon EKS node IAM role](./create-node-role.html) and the containers may be able to gain access to credentials of IAM roles of other Pods on the same node. For more information, see [Restrict access to the instance profile assigned to the worker node](https://docs.aws.amazon.com/eks/latest/best-practices/identity-and-access-management.html#_identities_and_credentials_for_eks_pods_recommendations).
+
+
+
+
+###### Note
+
+Pods configured with `hostNetwork: true` will always have IMDS access, but the AWS SDKs and CLI will use IRSA credentials when enabled.
@@ -25,0 +33,4 @@ IAM roles for service accounts provide the following benefits:
+###### Important
+
+Containers are not a security boundary, and the use of IAM roles for service accounts does not change this. Pods assigned to the same node will share a kernel and potentially other resources depending on your Pod configuration. While Pods running on separate nodes will be isolated at the compute layer, there are node applications that have additional permissions in the Kubernetes API beyond the scope of an individual instance. Some examples are `kubelet`, `kube-proxy`, CSI storage drivers, or your own Kubernetes applications.
+