IAM roles for service accounts (IRSA) can be misconfigured - EKS worker nodes have IAM instance profiles - The IMDS (Instance Metadata Service) is accessible from pods unless blocked - VPC CNI plugin has specific network security implications