AWS Security ChangesHomeSearch

AWS eks documentation change

Service: eks · 2025-11-22 · Documentation medium

File: eks/latest/userguide/security-iam-awsmanpol.md

Summary

Added documentation for AmazonEKSMCPReadOnlyAccess managed policy with detailed permissions

Security assessment

Introduces a new IAM policy focused on read-only access for observability, which enhances security through principle of least privilege but does not indicate resolution of a specific security vulnerability. The policy documentation improves security awareness of access controls.

Diff

diff --git a/eks/latest/userguide/security-iam-awsmanpol.md b/eks/latest/userguide/security-iam-awsmanpol.md
index 25ced8ce0..3c252f028 100644
--- a//eks/latest/userguide/security-iam-awsmanpol.md
+++ b//eks/latest/userguide/security-iam-awsmanpol.md
@@ -5 +5 @@
-AWS managed policy: AmazonEKS_CNI_PolicyAWS managed policy: AmazonEKSClusterPolicyAWS managed policy: AmazonEKSDashboardConsoleReadOnlyAWS managed policy: AmazonEKSFargatePodExecutionRolePolicyAWS managed policy: AmazonEKSConnectorServiceRolePolicyAWS managed policy: AmazonEKSForFargateServiceRolePolicyAWS managed policy: AmazonEKSComputePolicyAWS managed policy: AmazonEKSNetworkingPolicyAWS managed policy: AmazonEKSBlockStoragePolicyAWS managed policy: AmazonEKSLoadBalancingPolicyAWS managed policy: AmazonEKSServicePolicyAWS managed policy: AmazonEKSServiceRolePolicyAWS managed policy: AmazonEKSVPCResourceControllerAWS managed policy: AmazonEKSWorkerNodePolicyAWS managed policy: AmazonEKSWorkerNodeMinimalPolicyAWS managed policy: AWSServiceRoleForAmazonEKSNodegroupAWS managed policy: AmazonEKSDashboardServiceRolePolicyAWS managed policy: AmazonEBSCSIDriverPolicyAWS managed policy: AmazonEFSCSIDriverPolicyAWS managed policy: AmazonEKSLocalOutpostClusterPolicyAWS managed policy: AmazonEKSLocalOutpostServiceRolePolicyAmazon EKS updates to AWS managed policies
+AWS managed policy: AmazonEKS_CNI_PolicyAWS managed policy: AmazonEKSClusterPolicyAWS managed policy: AmazonEKSDashboardConsoleReadOnlyAWS managed policy: AmazonEKSFargatePodExecutionRolePolicyAWS managed policy: AmazonEKSConnectorServiceRolePolicyAWS managed policy: AmazonEKSForFargateServiceRolePolicyAWS managed policy: AmazonEKSComputePolicyAWS managed policy: AmazonEKSNetworkingPolicyAWS managed policy: AmazonEKSBlockStoragePolicyAWS managed policy: AmazonEKSLoadBalancingPolicyAWS managed policy: AmazonEKSMCPReadOnlyAccessAWS managed policy: AmazonEKSServicePolicyAWS managed policy: AmazonEKSServiceRolePolicyAWS managed policy: AmazonEKSVPCResourceControllerAWS managed policy: AmazonEKSWorkerNodePolicyAWS managed policy: AmazonEKSWorkerNodeMinimalPolicyAWS managed policy: AWSServiceRoleForAmazonEKSNodegroupAWS managed policy: AmazonEKSDashboardServiceRolePolicyAWS managed policy: AmazonEBSCSIDriverPolicyAWS managed policy: AmazonEFSCSIDriverPolicyAWS managed policy: AmazonEKSLocalOutpostClusterPolicyAWS managed policy: AmazonEKSLocalOutpostServiceRolePolicyAmazon EKS updates to AWS managed policies
@@ -262,0 +263,27 @@ To view the latest version of the JSON policy document, see [AmazonEKSLoadBalanc
+## AWS managed policy: AmazonEKSMCPReadOnlyAccess
+
+You can attach `AmazonEKSMCPReadOnlyAccess` to your IAM entities. This policy provides read-only access to Amazon EKS resources and related AWS services, enabling the Amazon EKS Model Context Protocol (MCP) Server to perform observability and troubleshooting operations without making any modifications to your infrastructure.
+
+**Permissions details**
+
+This policy includes the following permissions that allow principals to complete the following tasks:
+
+  * **`eks` ** Allows principals to describe and list EKS clusters, node groups, add-ons, access entries, insights, and access the Kubernetes API for read-only operations.
+
+  * **`iam` ** Allows principals to retrieve information about IAM roles, policies, and their attachments to understand the permissions associated with EKS resources.
+
+  * **`ec2` ** Allows principals to describe VPCs, subnets, and route tables to understand the network configuration of EKS clusters.
+
+  * **`sts` ** Allows principals to retrieve caller identity information for authentication and authorization purposes.
+
+  * **`logs` ** Allows principals to start queries and retrieve query results from CloudWatch Logs for troubleshooting and monitoring.
+
+  * **`cloudwatch` ** Allows principals to retrieve metric data for monitoring cluster and workload performance.
+
+  * **`eks-mcp` ** Allows principals to invoke MCP operations and call read-only tools within the Amazon EKS MCP Server.
+
+
+
+
+To view the latest version of the JSON policy document, see [AmazonEKSMCPReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEKSMCPReadOnlyAccess.html) in the AWS Managed Policy Reference Guide.
+
@@ -318 +345 @@ This policy includes the following permissions that allow Amazon EKS to complete
-  * **`pricing` ** & **`shield` ** \- Access AWS pricing information and Shield protection status, enabling cost management and advanced security features for EKS resources.
+  * **`pricing` ** **`shield` ** \- Access AWS pricing information and Shield protection status, enabling cost management and advanced security features for EKS resources.
@@ -484,0 +512 @@ Change | Description | Date
+Introduced AWS managed policy: AmazonEKSMCPReadOnlyAccess. |  Amazon EKS introduced new managed policy `AmazonEKSMCPReadOnlyAccess` to enable read-only tools in the Amazon EKS MCP Server for observability and troubleshooting. |  November 21, 2025