AWS Security ChangesHomeSearch

AWS eks high security documentation change

Service: eks · 2026-06-19 · Security-related high

File: eks/latest/userguide/authenticate-oidc-identity-provider.md

Summary

Added connectivity note for OIDC issuers regarding control plane egress routing

Security assessment

Highlights security requirement for issuer reachability in authentication flow. Specifically addresses network configuration risks when using customer-routed egress that could break authentication.

Diff

diff --git a/eks/latest/userguide/authenticate-oidc-identity-provider.md b/eks/latest/userguide/authenticate-oidc-identity-provider.md
index 3464e5bb5..052ec25b4 100644
--- a//eks/latest/userguide/authenticate-oidc-identity-provider.md
+++ b//eks/latest/userguide/authenticate-oidc-identity-provider.md
@@ -33,0 +34,4 @@ Amazon EKS supports using OpenID Connect (OIDC) identity providers as a method t
+###### Note
+
+The control plane fetches the provider’s signing keys from the issuer URL, so the issuer must be reachable from the control plane. If your cluster uses customer-routed control plane egress (`controlPlaneEgressMode=CUSTOMER_ROUTED`), make sure the issuer endpoint is reachable through the egress path you configure in your VPC. For more information, see [Configuring control plane egress routing](./control-plane-egress.html).
+