AWS Security ChangesHomeSearch

AWS eks documentation change

Service: eks · 2025-12-16 · Documentation low

File: eks/latest/userguide/hybrid-nodes-creds.md

Summary

Added requirement for 'eks:ListAccessEntries' IAM permission and clarified SSM policy reference

Security assessment

The change documents a new required IAM permission (eks:ListAccessEntries) for validating cluster access entries. While this improves security posture by enforcing proper access controls, there is no evidence it addresses an existing vulnerability. It adds security-related documentation to guide proper configuration.

Diff

diff --git a/eks/latest/userguide/hybrid-nodes-creds.md b/eks/latest/userguide/hybrid-nodes-creds.md
index b19b67b05..eb8282d1e 100644
--- a//eks/latest/userguide/hybrid-nodes-creds.md
+++ b//eks/latest/userguide/hybrid-nodes-creds.md
@@ -21 +21,3 @@ The Hybrid Nodes IAM role must have the following permissions.
-  * Permissions for `nodeadm` to use the `eks:DescribeCluster` action to gather information about the cluster used for connecting hybrid nodes to the cluster. If you do not enable the `eks:DescribeCluster` action, then you must pass your Kubernetes API endpoint, cluster CA bundle, and service IPv4 CIDR in the node configuration you pass to `nodeadm` when you run `nodeadm` init.
+  * Permissions for `nodeadm` to use the `eks:DescribeCluster` action to gather information about the cluster to which you want to connect hybrid nodes. If you do not enable the `eks:DescribeCluster` action, then you must pass your Kubernetes API endpoint, cluster CA bundle, and service IPv4 CIDR in the node configuration you pass to the `nodeadm init` command.
+
+  * Permissions for `nodeadm` to use the `eks:ListAccessEntries` action to list the access entries on the cluster to which you want to connect hybrid nodes. If you do not enable the `eks:ListAccessEntries` action, then you must pass the `--skip cluster-access-validation` flag when you run the `nodeadm init` command.
@@ -25 +27 @@ The Hybrid Nodes IAM role must have the following permissions.
-  * If using AWS SSM, permissions for `nodeadm` init to use AWS SSM hybrid activations as defined in the [aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html) policy.
+  * If using AWS SSM, permissions for `nodeadm init` to use AWS SSM hybrid activations as defined in the [aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html) policy.