AWS Security ChangesHomeSearch

AWS eks documentation change

Service: eks · 2026-01-25 · Documentation medium

File: eks/latest/userguide/ack-comparison.md

Summary

Added documentation about session tags and resource tagging differences in EKS Capability for ACK

Security assessment

The changes document security-adjacent features (session tags for auditing/access control and resource tagging), but don't address a specific security vulnerability. The content explains security-related implementations rather than fixing issues.

Diff

diff --git a/eks/latest/userguide/ack-comparison.md b/eks/latest/userguide/ack-comparison.md
index 002e97354..c8db4e80e 100644
--- a//eks/latest/userguide/ack-comparison.md
+++ b//eks/latest/userguide/ack-comparison.md
@@ -20,0 +21,4 @@ The EKS Capability for ACK is based on upstream ACK controllers but differs in I
+**Session tags** : The managed capability automatically sets session tags on all AWS API requests, enabling fine-grained access control and auditing. Tags include `eks:eks-capability-arn`, `eks:kubernetes-namespace`, and `eks:kubernetes-api-group`. This differs from self-managed ACK, which does not set these tags by default. See [Configure ACK permissions](./ack-permissions.html) for details on using session tags in IAM policies.
+
+**Resource tags** : The capability applies different default tags to AWS resources than self-managed ACK. The capability uses `eks:` prefixed tags (such as `eks:kubernetes-namespace`, `eks:eks-capability-arn`) instead of the `services.k8s.aws/` tags used by self-managed ACK. See [ACK considerations for EKS](./ack-considerations.html) for the complete list of default resource tags.
+