AWS Security ChangesHomeSearch

AWS eks documentation change

Service: eks · 2026-01-25 · Documentation low

File: eks/latest/userguide/ack-permissions.md

Summary

Added session tags documentation and updated permissions to require sts:TagSession

Security assessment

Introduces session tags for granular access control and auditing, enhancing security capabilities. Adds documentation for using tags in IAM policies but doesn't address a specific vulnerability.

Diff

diff --git a/eks/latest/userguide/ack-permissions.md b/eks/latest/userguide/ack-permissions.md
index 74da5ffca..43eacae1e 100644
--- a//eks/latest/userguide/ack-permissions.md
+++ b//eks/latest/userguide/ack-permissions.md
@@ -5 +5 @@
-How IAM works with ACKGetting started: Simple permission setupProduction best practice: IAM Role SelectorsMulti-account managementAdvanced IAM Role Selector patternsNext steps
+How IAM works with ACKGetting started: Simple permission setupProduction best practice: IAM Role SelectorsMulti-account managementSession tagsAdvanced IAM Role Selector patternsNext steps
@@ -57 +57 @@ For production environments, use IAM Role Selectors to implement least-privilege
-When using IAM Role Selectors, the Capability Role only needs `sts:AssumeRole` permission to assume the service-specific roles. You don’t need to add any AWS service permissions (like S3 or RDS) to the Capability Role itself—those permissions are granted to the individual IAM roles that the Capability Role assumes.
+When using IAM Role Selectors, the Capability Role only needs `sts:AssumeRole` and `sts:TagSession` permissions to assume the service-specific roles. You don’t need to add any AWS service permissions (like S3 or RDS) to the Capability Role itself—those permissions are granted to the individual IAM roles that the Capability Role assumes.
@@ -135 +135 @@ Configure the trust policy to allow the Capability Role to assume it:
-          "Action": "sts:AssumeRole"
+          "Action": ["sts:AssumeRole", "sts:TagSession"]
@@ -150 +150 @@ Add permission to the Capability Role to assume the service-specific role:
-          "Action": "sts:AssumeRole",
+          "Action": ["sts:AssumeRole", "sts:TagSession"],
@@ -201 +201 @@ In the target account (444455556666), create a role that trusts the source accou
-          "Action": "sts:AssumeRole"
+          "Action": ["sts:AssumeRole", "sts:TagSession"]
@@ -218 +218 @@ In the source account (111122223333), allow the Capability Role to assume the ta
-          "Action": "sts:AssumeRole",
+          "Action": ["sts:AssumeRole", "sts:TagSession"],
@@ -251,0 +252,64 @@ Resources in the `production` namespace are created in the target account:
+## Session tags
+
+The EKS ACK capability automatically sets session tags on all AWS API requests. These tags enable fine-grained access control and auditing by identifying the source of each request.
+
+### Available session tags
+
+The following session tags are included with every AWS API call made by ACK:
+
+Tag Key | Description  
+---|---  
+`eks:eks-capability-arn` |  The ARN of the EKS capability making the request  
+`eks:kubernetes-namespace` |  The Kubernetes namespace of the resource being managed  
+`eks:kubernetes-api-group` |  The Kubernetes API group of the resource (for example, `s3.services.k8s.aws`)  
+  
+### Using session tags for access control
+
+You can use these session tags in IAM policy conditions to restrict which resources ACK can manage. This provides an additional layer of security beyond namespace-based IAM Role Selectors.
+
+**Example: Restrict by namespace**
+
+Allow ACK to create S3 buckets only when the request originates from the `production` namespace:
+    
+    
+    {
+      "Version": "2012-10-17",		 	 	 
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": "s3:CreateBucket",
+          "Resource": "*",
+          "Condition": {
+            "StringEquals": {
+              "aws:PrincipalTag/eks:kubernetes-namespace": "production"
+            }
+          }
+        }
+      ]
+    }
+
+**Example: Restrict by capability**
+
+Allow actions only from a specific ACK capability:
+    
+    
+    {
+      "Version": "2012-10-17",		 	 	 
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": "s3:*",
+          "Resource": "*",
+          "Condition": {
+            "StringEquals": {
+              "aws:PrincipalTag/eks:eks-capability-arn": "arn:aws:eks:us-west-2:111122223333:capability/my-cluster/ack/my-ack"
+            }
+          }
+        }
+      ]
+    }
+
+###### Note
+
+Session tags are a difference from self-managed ACK, which does not set these tags by default. This enables more granular access control with the managed capability.
+