AWS Security Hub · EKS
EKS.9: An EKS node group runs an unsupported Kubernetes version
Written and reviewed by Emnode · Last reviewed
What does AWS Security Hub EKS.9 check?
EKS.9 fails when an EKS managed node group runs a Kubernetes version no longer in standard support. It is a separate finding from EKS.2, which covers the control plane.
Why does EKS.9 matter?
A common pattern: a team upgrades the control plane to clear EKS.2, ticks it off, and never schedules the node-group upgrade. Months later the API server is current but the worker nodes are two minor versions behind on an unpatched AMI. EKS allows up to three minor versions of skew — just enough rope for the gap to feel safe until a removed Kubernetes API breaks a deployment on the old nodes.
How do I fix EKS.9?
- List node groups and compare their versions against the control plane and the supported floor.
- Roll managed node groups forward one minor version at a time, respecting the skew limits and AMI compatibility.
- Use the managed-node-group update so nodes are replaced gradually without taking the workload down.
- Schedule node-group upgrades alongside control-plane upgrades so the two never drift apart.
Remediation script · bash
# Enable auto minor version upgrade on every RDS instance that has it disabled.
for id in $(aws rds describe-db-instances \
--query 'DBInstances[?AutoMinorVersionUpgrade==`false`].DBInstanceIdentifier' --output text); do
aws rds modify-db-instance --db-instance-identifier "$id" \
--auto-minor-version-upgrade --no-apply-immediately
done
# Move a deprecated Lambda function to a supported runtime.
aws lambda update-function-configuration --function-name auth-token-issuer \
--runtime nodejs20.x
# Upgrade an out-of-support EKS control plane one minor version at a time (then catch up node groups).
aws eks update-cluster-version --name prod-payments --kubernetes-version 1.29Full walkthrough (console steps, edge cases and verification) in the lesson Keep software and engines patched.