The documented IPv6 IAM policy in docs/iam-policy.md is missing the ec2:ModifyNetworkInterfaceAttribute permission.

What type of PR is this?
documentation

Which issue does this PR fix?:

Problem Description

When running EKS clusters in IPv6 mode with the documented IAM policy, the VPC CNI logs warnings like:

Unauthorized operation: failed to call ec2:ModifyNetworkInterfaceAttribute due to missing permissions.
Please refer https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/iam-policy.md to attach relevant policy to IAM role

These warnings appear during:

• Node startup when aws-node DaemonSet pods are created
• Security group updates on managed ENIs
• Setting DeleteOnTermination flag on ENI attachments

Root Cause

The VPC CNI code calls ec2:ModifyNetworkInterfaceAttribute in both IPv4 and IPv6 modes:

1. refreshSGIDs function (https://github.com/aws/amazon-vpc-cni-k8s/blob/master/pkg/awsutils/awsutils.go#L564-L586)

   • Updates security groups on managed ENIs

2. AllocENI function (https://github.com/aws/amazon-vpc-cni-k8s/blob/master/pkg/awsutils/awsutils.go#L873-L882)

   • Sets DeleteOnTermination flag on newly attached ENIs

The IPv6 documentation only includes IPv6-specific permissions (e.g.: ec2:AssignIpv6Addresses) but omits ENI management permissions that are still required.

Additional Notes

This issue was identified when attempting to fix it in terraform-aws-eks, but the maintainers noted that the upstream documentation (this repository) needs to be fixed first.

See: terraform-aws-modules/terraform-aws-eks#3613 (comment)

What does this PR do / Why do we need it?:

This PR fixes the documented IPv6 IAM policy which is missing the ec2:ModifyNetworkInterfaceAttribute permission.

Without this permission, users running IPv6 clusters see "UnauthorizedOperation" warnings in their aws-node pods, even though the documentation policy is supposed to be complete. While these warnings don't prevent the cluster from functioning, they indicate failed operations and clutter the event logs.

This fix adds the missing permission to the IPv6 policy documentation in docs/iam-policy.md, bringing it in line with what the VPC CNI actually requires to operate correctly.

Testing done on this change:

Tested on IPv6 EKS cluster running:

• EKS version: 1.34.1
• VPC CNI: v1.21.0
• Karpenter 1.8.2 for node provisioning

After applying the fix, the warnings disappeared and ENI attributes are properly managed.

Will this PR introduce any new dependencies?:

No.

Will this break upgrades or downgrades? Has updating a running cluster been tested?:

No.

Does this change require updates to the CNI daemonset config files to work?:

No.

Does this PR introduce any user-facing change?:

Action required: Users running IPv6 clusters must update their IAM policies to include the ec2:ModifyNetworkInterfaceAttribute permission. Without this permission, the VPC CNI logs "UnauthorizedOperation" warnings. Update your IAM policy to match the corrected policy in docs/iam-policy.md.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.