AWS Security ChangesHomeSearch

AWS eks medium security documentation change

Service: eks · 2026-06-19 · Security-related medium

File: eks/latest/userguide/network-reqs.md

Summary

Added documentation about customer-routed control plane egress requirements including routing to admission webhooks and OIDC providers.

Security assessment

Explicitly documents critical network security requirements for control plane egress, including firewall/NACL configurations needed to prevent network isolation vulnerabilities.

Diff

diff --git a/eks/latest/userguide/network-reqs.md b/eks/latest/userguide/network-reqs.md
index 70e1cd36f..3111b0c41 100644
--- a//eks/latest/userguide/network-reqs.md
+++ b//eks/latest/userguide/network-reqs.md
@@ -44,0 +45,2 @@ To avoid CIDR conflicts, ensure your EKS service CIDR doesn’t overlap with any
+  * If the cluster uses customer-routed control plane egress (`controlPlaneEgressMode=CUSTOMER_ROUTED`), the subnets used by the cluster must be able to route to any endpoints the control plane calls, such as admission webhook servers and OIDC providers. This requires an egress path (for example, a NAT gateway, NAT instance, firewall, or transit gateway to a centralized egress VPC) plus route table, security group, and network ACL rules that allow the traffic. For more information, see [Configuring control plane egress routing](./control-plane-egress.html).
+