AWS Security ChangesHomeSearch

AWS eks documentation change

Service: eks · 2025-07-25 · Documentation low

File: eks/latest/userguide/service-accounts.md

Summary

Added recommendation to use EKS Pod Identities over IRSA and clarified STS API quota usage differences

Security assessment

Promotes EKS Pod Identity as preferred method for credential management, which reduces STS API usage and potential throttling risks. While this improves operational reliability, there is no evidence of addressing a specific security vulnerability.

Diff

diff --git a/eks/latest/userguide/service-accounts.md b/eks/latest/userguide/service-accounts.md
index 87e6893ee..c8d3b91d5 100644
--- a//eks/latest/userguide/service-accounts.md
+++ b//eks/latest/userguide/service-accounts.md
@@ -94,0 +95,4 @@ At a high level, both EKS Pod Identity and IRSA enables you to grant IAM permiss
+###### Note
+
+AWS recommends using EKS Pod Identities to grant access to AWS resources to your pods whenever possible. For more information, see [Learn how EKS Pod Identity grants pods access to AWS services](./pod-identities.html).
+
@@ -99,0 +104 @@ Role scalability |  EKS Pod Identity doesn’t require users to define trust rel
+STS API Quota Usage |  EKS Pod Identity simplifies delivery of AWS credentials to your pods, and does not require your code make calls with the AWS Security Token Service (STS) directly. The EKS service handles role assumption, and delivers credentials to applications written using the AWS SDK in your pods without your pods communicating with AWS STS or using STS API Quota. |  In IRSA, applications written using the AWS SDK in your pods use tokens to call the `AssumeRoleWithWebIdentity` API on the AWS Security Token Service (STS). Depending on the logic of your code on the AWS SDK, it is possible for your code to make unneccesarry calls to AWS STS and receive throttling errors.