AWS Security ChangesHomeSearch

AWS eks documentation change

Service: eks · 2025-08-10 · Documentation low

File: eks/latest/userguide/automode.md

Summary

Added 'Shared responsibility model' section detailing security responsibilities between AWS and customers in EKS Auto Mode. Enhanced security section with details about immutable AMIs, SELinux controls, and node lifecycle management.

Security assessment

The changes explicitly document security responsibilities and hardening measures (immutable AMIs, SELinux, read-only root) but do not indicate remediation of a specific vulnerability. Focuses on clarifying security posture and shared responsibilities rather than addressing a disclosed issue.

Diff

diff --git a/eks/latest/userguide/automode.md b/eks/latest/userguide/automode.md
index 8c355ab5f..a24192317 100644
--- a//eks/latest/userguide/automode.md
+++ b//eks/latest/userguide/automode.md
@@ -5 +5 @@
-FeaturesAutomated ComponentsConfiguration
+FeaturesAutomated ComponentsConfigurationShared responsibility model
@@ -29 +29 @@ EKS Auto Mode provides the following high-level features:
-**Security** : EKS Auto Mode uses AMIs that are treated as immutable for your nodes. These AMIs enforce locked-down software, enable SELinux mandatory access controls, and provide read-only root file systems. Additionally, nodes launched by EKS Auto Mode have a maximum lifetime of 21 days (which you can reduce), after which they are automatically replaced with new nodes. This approach enhances your security posture by regularly cycling nodes, aligning with best practices already adopted by many customers.
+**Security** : EKS Auto Mode uses AMIs that are treated as immutable, for your nodes. These AMIs enforce locked-down software, enable SELinux mandatory access controls, and provide read-only root file systems. Additionally, nodes launched by EKS Auto Mode have a maximum lifetime of 21 days (which you can reduce), after which they are automatically replaced with new nodes. This approach enhances your security posture by regularly cycling nodes, aligning with best practices already adopted by many customers.
@@ -94,0 +95,27 @@ For more information about options for configuring EKS Auto Mode, see [Configure
+## Shared responsibility model
+
+The AWS Shared Responsibility Model defines security and compliance responsibilities between AWS and customers. The images and text below compare and contrast how customer and AWS responsibilities differ between EKS Auto Mode and EKS standard mode.
+
+![Shared responsibility model with EKS Auto Mode and standard mode](/images/eks/latest/userguide/images/eksautosrm.png)
+
+EKS Auto Mode shifts much of the shared responsibility for Kubernetes infrastructure from customers to AWS. With EKS Auto Mode, AWS takes on more responsibility for cloud security, which was once the customer’s responsibility and is now shared. Customers can now focus more on their applications while AWS manages the underlying infrastructure.
+
+**Customer responsibility**
+
+Under EKS Auto Mode, customers continue to maintain responsibility for the application containers, including availability, security, and monitoring. They also maintain control over VPC infrastructure and EKS cluster configuration. This model lets customers concentrate on application-specific concerns while delegating cluster infrastructure management to AWS. Optional per-node features can be included in clusters through AWS add-ons.
+
+**AWS responsibility**
+
+With EKS Auto Mode, AWS expands its responsibility to include the management of several additional critical components compared to those already managed in EKS clusters not using Auto Mode. In particular, EKS Auto Mode takes over the configuration, management, security, and scaling of the EC2 instances launched as well as cluster capabilities for load balancing, IP address management, networking policy, and block storage. The following components are managed by AWS in EKS Auto Mode:
+
+  * **Auto Mode-launched EC2 Instances** : AWS handles the complete lifecycle of nodes by leveraging Amazon EC2 managed instances. EC2 managed instances take responsibility for operating system configuration, patching, monitoring, and health maintenance. In this model, both the instance itself and the guest operating system running on it are the responsibility of AWS. The nodes use variants of [Bottlerocket](https://aws.amazon.com/bottlerocket) AMIs that are optimized to run containers. The Bottlerocket AMIs have locked-down software, immutable root file systems, and secure network access (to prevent direct communications through SSH or SSM).
+
+  * **Cluster Capabilities** : AWS manages compute autoscaling, Pod networking with network policy enforcement, Elastic Load Balancing integration, and storage drivers configuration.
+
+  * **Cluster Control Plane** : AWS continues to manage the Kubernetes API server, cross-account ENIs, and the etcd database, as with standard EKS.
+
+  * **Foundation Services and Global Infrastructure** : AWS maintains responsibility for the underlying compute, storage, networking, and monitoring services, as well as the global infrastructure of regions, local zones, and edge locations.
+
+
+
+