AWS Security ChangesHomeSearch

AWS eks documentation change

Service: eks · 2026-01-04 · Documentation low

File: eks/latest/userguide/kubernetes-versions-standard.md

Summary

Added documentation about External JWT Signer for Service Account Tokens promotion to Beta and recommended using bound service account tokens

Security assessment

The change documents security improvements in Kubernetes 1.34 related to service account token management. It recommends bound service account tokens which enhance security through automatic rotation and limited lifetimes, but doesn't address a specific vulnerability.

Diff

diff --git a/eks/latest/userguide/kubernetes-versions-standard.md b/eks/latest/userguide/kubernetes-versions-standard.md
index a07c5fa5d..99202bcdb 100644
--- a//eks/latest/userguide/kubernetes-versions-standard.md
+++ b//eks/latest/userguide/kubernetes-versions-standard.md
@@ -42,0 +43,4 @@ Kubernetes `1.34` is now available in Amazon EKS. For more information about Kub
+  * External JWT Signer for Service Account Tokens is promoted to Beta. When using external signers, the --service-account-extend-token-expiration flag is no longer fully respected. The API server enforces the minimum expiration between the desired extension (1 year) and the external signer’s limit (24 hours).
+
+    * We recommend using [bound service account tokens](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-tokens), which are automatically mounted and rotated by Kubernetes.
+