AWS Security ChangesHomeSearch

AWS eks documentation change

Service: eks · 2026-01-16 · Documentation low

File: eks/latest/userguide/workloads-add-ons-available-eks.md

Summary

Updated IAM policy ARN references to use a shared region placeholder and fixed a Terraform module link

Security assessment

The changes replace static ARNs with a templated format (<shared id="region.arn"/>) which doesn't indicate any security vulnerability fix. The Terraform link fix is a documentation formatting correction. No security implications or vulnerability references are present in the changes.

Diff

diff --git a/eks/latest/userguide/workloads-add-ons-available-eks.md b/eks/latest/userguide/workloads-add-ons-available-eks.md
index 9bbf8c7a3..51a63a38e 100644
--- a//eks/latest/userguide/workloads-add-ons-available-eks.md
+++ b//eks/latest/userguide/workloads-add-ons-available-eks.md
@@ -61 +61 @@ Replace `my-cluster` with the name of your cluster and `AmazonEKSVPCCNIRole` wit
-        --role-only --attach-policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy --approve
+        --role-only --attach-policy-arn <shared id="region.arn"/>iam::aws:policy/AmazonEKS_CNI_Policy --approve
@@ -133 +133 @@ This add-on utilizes the IAM roles for service accounts capability of Amazon EKS
-        --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \
+        --attach-policy-arn <shared id="region.arn"/>iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \
@@ -159 +159 @@ The Amazon EKS add-on name is `aws-efs-csi-driver`.
-        --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy \
+        --attach-policy-arn <shared id="region.arn"/>iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy \
@@ -197 +197 @@ This add-on utilizes the IAM roles for service accounts capability of Amazon EKS
-        --attach-policy-arn arn:aws:iam::aws:policy/AmazonFSxFullAccess \
+        --attach-policy-arn <shared id="region.arn"/>iam::aws:policy/AmazonFSxFullAccess \
@@ -375 +375 @@ For more information, see [Getting Started with AWS Distro for OpenTelemetry usi
-ADOT requires that the `cert-manager` add-on is deployed on the cluster as a prerequisite, otherwise this add-on won’t work if deployed directly using the [https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest](https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest) `cluster_addons` property. For more requirements, see [Requirements for Getting Started with AWS Distro for OpenTelemetry using EKS Add-Ons](https://aws-otel.github.io/docs/getting-started/adot-eks-add-on/requirements) in the AWS Distro for OpenTelemetry documentation.
+ADOT requires that the `cert-manager` add-on is deployed on the cluster as a prerequisite, otherwise this add-on won’t work if deployed directly using the https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest`cluster_addons` property. For more requirements, see [Requirements for Getting Started with AWS Distro for OpenTelemetry using EKS Add-Ons](https://aws-otel.github.io/docs/getting-started/adot-eks-add-on/requirements) in the AWS Distro for OpenTelemetry documentation.
@@ -413,2 +413,2 @@ This add-on uses the IAM roles for service accounts capability of Amazon EKS. Fo
-        --attach-policy-arn arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess \
-        --attach-policy-arn arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy \
+        --attach-policy-arn <shared id="region.arn"/>iam::aws:policy/AWSXrayWriteOnlyAccess \
+        --attach-policy-arn <shared id="region.arn"/>iam::aws:policy/CloudWatchAgentServerPolicy \