AWS Security ChangesHomeSearch

AWS eks documentation change

Service: eks · 2026-04-04 · Documentation low

File: eks/latest/userguide/auto-create-node-role.md

Summary

Added documentation about attaching the AmazonElasticContainerRegistryPublicReadOnly policy to node IAM roles for pulling images from Public ECR to avoid throttling

Security assessment

The change adds documentation about an optional IAM policy (AmazonElasticContainerRegistryPublicReadOnly) that provides read-only access to public ECR repositories. This is a security feature that follows the principle of least privilege by granting only necessary permissions for pulling public images, but there's no evidence it addresses a specific security vulnerability.

Diff

diff --git a/eks/latest/userguide/auto-create-node-role.md b/eks/latest/userguide/auto-create-node-role.md
index aa34407f8..f6d984c60 100644
--- a//eks/latest/userguide/auto-create-node-role.md
+++ b//eks/latest/userguide/auto-create-node-role.md
@@ -134,0 +135,11 @@ To attach AmazonEC2ContainerRegistryPullOnly:
+**Attach Optional Policy**
+
+If you will pull container images from Public ECR, you should attach the following AWS managed policy to the Node IAM Role to ensure your nodes can authenticate to Public ECR and pull images without throttling.
+
+To attach AmazonElasticContainerRegistryPublicReadOnly:
+    
+    
+    aws iam attach-role-policy \
+        --role-name AmazonEKSAutoNodeRole \
+        --policy-arn arn:aws:iam::aws:policy/AmazonElasticContainerRegistryPublicReadOnly
+