AWS eks medium security documentation change
Summary
Updated IMDSv2 guidance and added default hop limit note for custom AMIs
Security assessment
Clarifies security configuration for metadata access controls. Removes outdated default behavior statement and adds explicit guidance about HttpPutResponseHopLimit defaults when using custom AMIs, helping prevent misconfigurations.
Diff
diff --git a/eks/latest/userguide/launch-templates.md b/eks/latest/userguide/launch-templates.md index d00095004..7ecc5a72b 100644 --- a//eks/latest/userguide/launch-templates.md +++ b//eks/latest/userguide/launch-templates.md @@ -64 +64 @@ You can’t specify source security groups that are allowed remote access when u - * If any containers that you deploy to the node group use the Instance Metadata Service Version 2, make sure to set the **Metadata response hop limit** to `2` in your launch template. For more information, see [Instance metadata and user data](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) in the _Amazon EC2 User Guide_. If you deploy a managed node group without using a custom launch template, this value is automatically set for the node group in the default launch template. + * If any containers that you deploy to the node group use the Instance Metadata Service Version 2, make sure to set the **Metadata response hop limit** to `2` in your launch template. For more information, see [Instance metadata and user data](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) in the _Amazon EC2 User Guide_. @@ -466,0 +467,2 @@ The following are the limits and conditions involved with specifying an AMI ID w + * For any AMI that uses a custom launch template, the default `HttpPutResponseHopLimit` for managed node groups is set to `2`. +