AWS Security ChangesHomeSearch

AWS eks documentation change

Service: eks · 2026-04-04 · Documentation low

File: eks/latest/userguide/create-node-role.md

Summary

Added note about optional permissions for kubelet to pull images from Amazon ECR Public using the AmazonElasticContainerRegistryPublicReadOnly policy to avoid rate-limiting

Security assessment

The change documents an optional IAM policy that provides controlled access to public ECR repositories. This is a security feature that enables proper authentication and authorization for pulling public container images, but there's no indication it fixes a specific security vulnerability.

Diff

diff --git a/eks/latest/userguide/create-node-role.md b/eks/latest/userguide/create-node-role.md
index fede133b3..8093caa3c 100644
--- a//eks/latest/userguide/create-node-role.md
+++ b//eks/latest/userguide/create-node-role.md
@@ -28,0 +29,2 @@ Before you create nodes, you must create an IAM role with the following permissi
+  * (Optional) Permissions for the `kubelet` to use container images from Amazon ECR Public (public.ecr.aws), such as provided by the [AmazonElasticContainerRegistryPublicReadOnly](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonElasticContainerRegistryPublicReadOnly.html) policy. These permissions are recommended if you pull container images from ECR Public. Without them, the pulls will succeed, but may be rate-limited.
+