AWS eks documentation change
Summary
Clarified security group rule requirements and EKS behavior when modifying rules
Security assessment
Provides clearer security guidance about network configuration but does not address a specific vulnerability. Enhances documentation of security best practices.
Diff
diff --git a/eks/latest/userguide/sec-group-reqs.md b/eks/latest/userguide/sec-group-reqs.md index 66c72df7b..44ae5a039 100644 --- a//eks/latest/userguide/sec-group-reqs.md +++ b//eks/latest/userguide/sec-group-reqs.md @@ -29 +29 @@ The default security group includes an outbound rule that allows Elastic Fabric -If your cluster doesn’t need the outbound rule, you can remove it. If you remove it, you must still have the minimum rules listed in Restricting cluster traffic. If you remove the inbound rule, Amazon EKS recreates it whenever the cluster is updated. +If your cluster doesn’t need the outbound rule to `0.0.0.0/0` (IPv4), `::/0` (IPv6), you can remove it. If you remove it, you must still have the minimum rules listed in Restricting cluster traffic. If you remove the inbound or outbound rules that allow traffic to/from the cluster security group itself, Amazon EKS recreates it whenever the cluster is updated. @@ -57 +57,5 @@ You can determine the ID of your cluster security group in the AWS Management Co -If you need to limit the open ports between the cluster and nodes, you can remove the default outbound rule and add the following minimum rules that are required for the cluster. If you remove the default inbound rule, Amazon EKS recreates it whenever the cluster is updated. +If you need to limit the open ports between the EKS control plane and nodes, you can remove the default outbound rule to `0.0.0.0/0` (IPv4)/`::/0` (IPv6) and add the following minimum rules that are required for the cluster. + +If you remove the default inbound rule that allows all traffic for source self (traffic from the cluster security group), Amazon EKS recreates it when the cluster is updated. + +If you remove the default outbound rule that allows all traffic for destination self (traffic to the cluster security group), Amazon EKS recreates it when the cluster is updated.