Amazon EKS Flaws Let Hackers Steal AWS Credentials

Critical vulnerabilities in Amazon Elastic Kubernetes Service (EKS) allow overprivileged containers to steal AWS credentials through packet sniffing and spoofing attacks. Amazon EKS flaws let attackers exploit the 169.254.170.23:80 endpoint by intercepting plaintext traffic or deploying fake HTTP servers. These exposures, disclosed on June 19, 2025, underscore the risks in AWS’s shared responsibility model.

The flaws specifically affect the EKS Pod Identity agent, which manages AWS credentials for containers via a local API. Researchers showed that containers with CAP_NET_ADMIN or hostNetwork privileges can hijack this API to capture authorization tokens. Amazon EKS flaws let adversaries escalate privileges by disabling the agent and deploying malicious servers to intercept credentials.

Amazon determined that these behaviors fall under customer responsibility, not a platform vulnerability. To reduce risk, organizations should remove unnecessary capabilities and monitor for elevated container privileges using tools like Trend Vision One Container Security.

Amazon EKS Vulnerabilities Expose Sensitive AWS Credentials and Escalate Privileges