AWS eks medium security documentation change
Summary
Updated IMDSv2 configuration details for AL2023 node groups
Security assessment
Clarifies security-critical IMDSv2 hop limit behavior (defaults to 1 without launch template, 2 with custom AMI). Helps prevent accidental credential exposure through container access to node metadata.
Diff
diff --git a/eks/latest/userguide/al2023.md b/eks/latest/userguide/al2023.md index 6363e537e..375681679 100644 --- a//eks/latest/userguide/al2023.md +++ b//eks/latest/userguide/al2023.md @@ -54 +54,7 @@ In AL2, the metadata from these parameters was discovered from the Amazon EKS `D -For `IMDSv2`, the default hop count for managed node groups is set to 1. This means that containers won’t have access to the node’s credentials using IMDS. If you require container access to the node’s credentials, you can still do so by manually overriding the `HttpPutResponseHopLimit` in a [custom Amazon EC2 launch template](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-metadataoptions.html), increasing it to 2.Alternatively, you can use [Amazon EKS Pod Identity](./pod-identities.html) to provide credentials instead of `IMDSv2`. +For `IMDSv2` with AL2023, the default hop count for managed node groups can vary: + + * When not using a launch template, the default is set to `1`. This means that containers won’t have access to the node’s credentials using IMDS. If you require container access to the node’s credentials, you can still do so by using a [custom Amazon EC2 launch template](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-metadataoptions.html). + + * When using a custom AMI in a launch template, the default `HttpPutResponseHopLimit` is set to `2`. You can manually override the `HttpPutResponseHopLimit` in the launch template. + +Alternatively, you can use [Amazon EKS Pod Identity](./pod-identities.html) to provide credentials instead of `IMDSv2`.