diff --git a/docs/iam_roles.md b/docs/iam_roles.md
index 789e715649..e429f5873c 100644
--- a/docs/iam_roles.md
+++ b/docs/iam_roles.md
@@ -1,7 +1,10 @@
 # IAM Roles
 
 Two IAM roles are created for the cluster: one for the masters, and one for the nodes.
-The permissions are kept to the minimum required to setup and maintain the cluster.
+
+> Work is being done on scoping permissions to the minimum required to setup and maintain cluster. 
+> Please not that currently all Pods running on your cluster have access to instance IAM role.
+> Consider using projects such as [kube2iam](https://github.com/jtblin/kube2iam) to prevent that. 
 
 Master permissions:
 
diff --git a/docs/security.md b/docs/security.md
index 520c9a92bd..3f69f1da18 100644
--- a/docs/security.md
+++ b/docs/security.md
@@ -18,6 +18,11 @@ To change the SSH public key on an existing cluster:
 * `kops update cluster --yes` to reconfigure the auto-scaling groups
 * `kops rolling-update cluster --name <clustername> --yes` to immediately roll all the machines so they have the new key (optional)
 
+## IAM roles
+
+All Pods running on your cluster have access to underlying instance IAM role.
+Currently permission scope is quite broad. See [iam_roles.md](iam_roles.md) for details and ways to mitigate that.
+
 
 ## Kubernetes API