AWS Security ChangesHomeSearch

AWS AWSCloudFormation medium security documentation change

Service: AWSCloudFormation · 2026-02-13 · Security-related medium

File: AWSCloudFormation/latest/TemplateReference/aws-resource-eks-podidentityassociation.md

Summary

Added new 'Policy' property to enforce least privilege access for pod identity associations.

Security assessment

Explicitly adds capability to restrict permissions through intersection policies, addressing privilege escalation risks by enforcing least privilege access - concrete evidence in the policy description.

Diff

diff --git a/AWSCloudFormation/latest/TemplateReference/aws-resource-eks-podidentityassociation.md b/AWSCloudFormation/latest/TemplateReference/aws-resource-eks-podidentityassociation.md
index 0589502fd..601622ccc 100644
--- a//AWSCloudFormation/latest/TemplateReference/aws-resource-eks-podidentityassociation.md
+++ b//AWSCloudFormation/latest/TemplateReference/aws-resource-eks-podidentityassociation.md
@@ -23,0 +24 @@ To declare this entity in your CloudFormation template, use the following syntax
+          "Policy" : String,
@@ -39,0 +41 @@ To declare this entity in your CloudFormation template, use the following syntax
+      Policy: String
@@ -87,0 +90,13 @@ _Required_ : Yes
+`Policy`
+    
+
+An optional IAM policy in JSON format (as an escaped string) that applies additional restrictions to this pod identity association beyond the IAM policies attached to the IAM role. This policy is applied as the intersection of the role's policies and this policy, allowing you to reduce the permissions that applications in the pods can use. Use this policy to enforce least privilege access while still leveraging a shared IAM role across multiple applications.
+
+_Required_ : No
+
+ _Type_ : String
+
+ _Minimum_ : `1`
+
+ _Update requires_ : [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
+