Initial Publication Date: 2022/07/11 9:00 PST

A security researcher recently reported an issue with the AWS IAM Authenticator for Kubernetes, used by Amazon Elastic Kubernetes Service (EKS). The researcher identified a query parameter validation issue within the authenticator plugin when configured to use the “AccessKeyID” template parameter within query strings. This issue could have permitted a knowledgeable attacker to escalate privileges within a Kubernetes cluster. Customers who do not use the “AccessKeyID” parameter are not affected by this issue.

As of June 28, 2022, all EKS clusters worldwide have been updated with a new version of the AWS IAM Authenticator for Kubernetes, containing a fix for this issue. Customers who use the AWS IAM Authenticator for Kubernetes within Amazon EKS do not need to take any action to protect themselves. Customers who host and manage their own Kubernetes clusters, and who use the authenticator plugin’s “AccessKeyID” template parameter should update the AWS IAM Authenticator for Kubernetes to version 0.5.9.

We would like to thank Lightspin for reporting this issue.

Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.