AWS Security ChangesHomeSearch

AWS eks documentation change

Service: eks · 2026-01-16 · Documentation low

File: eks/latest/best-practices/identity-and-access-management.md

Summary

Formatting updates: Removed angle brackets from URLs and fixed a code block syntax issue. Updated markdown links to plain URLs in multiple sections.

Security assessment

Changes are purely cosmetic/formatting: converting bracketed URLs to plain URLs and fixing a code block. No security content was added, removed, or modified. The updates don't reference vulnerabilities, security incidents, or security enhancements.

Diff

diff --git a/eks/latest/best-practices/identity-and-access-management.md b/eks/latest/best-practices/identity-and-access-management.md
index 90ca7c82c..afa13d969 100644
--- a//eks/latest/best-practices/identity-and-access-management.md
+++ b//eks/latest/best-practices/identity-and-access-management.md
@@ -73 +73 @@ Each token starts with `k8s-aws-v1.` followed by a base64 encoded string. The st
-The token consists of a pre-signed URL that includes an Amazon credential and signature. For additional details see <https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html>.
+The token consists of a pre-signed URL that includes an Amazon credential and signature. For additional details see https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html.
@@ -460 +460 @@ This role authorizes unauthenticated and authenticated users to read API informa
-When an application running within a Pod calls the Kubernetes APIs, the Pod needs to be assigned a service account that explicitly grants it permission to call those APIs. Similar to guidelines for user access, the Role or ClusterRole bound to a service account should be restricted to the API resources and methods that the application needs to function and nothing else. To use a non-default service account simply set the `spec.serviceAccountName` field of a Pod to the name of the service account you wish to use. For additional information about creating service accounts, see [https://kubernetes.io/docs/reference/access-authn-authz/rbac/#service-account-permissions](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#service-account-permissions).
+When an application running within a Pod calls the Kubernetes APIs, the Pod needs to be assigned a service account that explicitly grants it permission to call those APIs. Similar to guidelines for user access, the Role or ClusterRole bound to a service account should be restricted to the API resources and methods that the application needs to function and nothing else. To use a non-default service account simply set the `spec.serviceAccountName` field of a Pod to the name of the service account you wish to use. For additional information about creating service accounts, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#service-account-permissions.
@@ -522 +522 @@ A mutating webhook that runs as part of the EKS control plane injects the AWS Ro
-The kubelet will automatically rotate the projected token when it is older than 80% of its total TTL, or after 24 hours. The AWS SDKs are responsible for reloading the token when it rotates. For further information about IRSA, see <https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html>.
+The kubelet will automatically rotate the projected token when it is older than 80% of its total TTL, or after 24 hours. The AWS SDKs are responsible for reloading the token when it rotates. For further information about IRSA, see https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html.
@@ -661 +661 @@ If you have an application that is using an older version of the AWS SDK that do
-The trust policy can be scoped to a Namespace or a specific service account within a Namespace. When using IRSA it’s best to make the role trust policy as explicit as possible by including the service account name. This will effectively prevent other Pods within the same Namespace from assuming the role. The CLI `eksctl` will do this automatically when you use it to create service accounts/IAM roles. See [https://eksctl.io/usage/iamserviceaccounts/](https://eksctl.io/usage/iamserviceaccounts/) for further information.
+The trust policy can be scoped to a Namespace or a specific service account within a Namespace. When using IRSA it’s best to make the role trust policy as explicit as possible by including the service account name. This will effectively prevent other Pods within the same Namespace from assuming the role. The CLI `eksctl` will do this automatically when you use it to create service accounts/IAM roles. See https://eksctl.io/usage/iamserviceaccounts/ for further information.
@@ -854 +854 @@ In the following example code, a session is created using the boto3 python SDK,
-    print(sqsresponse) ```
+    print(sqsresponse)
@@ -860 +860 @@ If you’re migrating an application from another AWS compute service, such as E
-While IRSA and EKS Pod Identities are the _preferred ways_ to assign an AWS identity to a pod, they require that you include recent version of the AWS SDKs in your application. For a complete listing of the SDKs that currently support IRSA, see <https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html>, for EKS Pod Identities, see <https://docs.aws.amazon.com/eks/latest/userguide/pod-id-minimum-sdk.html>. If you have an application that you can’t immediately update with a compatible SDK, there are several community-built solutions available for assigning IAM roles to Kubernetes pods, including [kube2iam](https://github.com/jtblin/kube2iam) and [kiam](https://github.com/uswitch/kiam). Although AWS doesn’t endorse, condone, nor support the use of these solutions, they are frequently used by the community at large to achieve similar results as IRSA and EKS Pod Identities.
+While IRSA and EKS Pod Identities are the _preferred ways_ to assign an AWS identity to a pod, they require that you include recent version of the AWS SDKs in your application. For a complete listing of the SDKs that currently support IRSA, see https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html, for EKS Pod Identities, see https://docs.aws.amazon.com/eks/latest/userguide/pod-id-minimum-sdk.html. If you have an application that you can’t immediately update with a compatible SDK, there are several community-built solutions available for assigning IAM roles to Kubernetes pods, including [kube2iam](https://github.com/jtblin/kube2iam) and [kiam](https://github.com/uswitch/kiam). Although AWS doesn’t endorse, condone, nor support the use of these solutions, they are frequently used by the community at large to achieve similar results as IRSA and EKS Pod Identities.