AWS Security ChangesHomeSearch

AWS eks documentation change

Service: eks · 2025-02-26 · Documentation low

File: eks/latest/userguide/fargate-logging.md

Summary

Restructured IAM policy setup steps for CloudWatch, OpenSearch, and Firehose logging destinations. Consolidated download instructions and OpenSearch security configuration details under a unified permissions section. Updated log group region description formatting.

Security assessment

Added explicit instructions for OpenSearch Dashboards access control configuration including role mappings for security_manager and all_access roles. While this improves security documentation, there's no evidence of addressing a specific vulnerability or incident.

Diff

diff --git a/eks/latest/userguide/fargate-logging.md
index 9dfb90c11..75b387cc0 100644
--- a/eks/latest/userguide/fargate-logging.md
+++ b/eks/latest/userguide/fargate-logging.md
@@ -111,2 +110,0 @@ CloudWatch
-**To create a`ConfigMap` for CloudWatch**
-
@@ -164,4 +161,0 @@ The following example shows you how to use the `cloudwatch_logs` plugin to send
-    3. Download the CloudWatch IAM policy to your computer. You can also [view the policy](https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/cloudwatchlogs/permissions.json) on GitHub.
-        
-                curl -O https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/cloudwatchlogs/permissions.json
-
@@ -171,2 +164,0 @@ Amazon OpenSearch Service
-**To create a`ConfigMap` for Amazon OpenSearch Service**
-
@@ -199,6 +190,0 @@ If you want to send logs to Amazon OpenSearch Service, you can use [es](https://
-    3. Download the OpenSearch IAM policy to your computer. You can also [view the policy](https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/amazon-elasticsearch/permissions.json) on GitHub.
-        
-                curl -O https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/amazon-elasticsearch/permissions.json
-
-Make sure that OpenSearch Dashboards' access control is configured properly. The `all_access role` in OpenSearch Dashboards needs to have the Fargate Pod execution role and the IAM role mapped. The same mapping must be done for the `security_manager` role. You can add the previous mappings by selecting `Menu`, then `Security`, then `Roles`, and then select the respective roles. For more information, see [How do I troubleshoot CloudWatch Logs so that it streams to my Amazon ES domain?](https://aws.amazon.com/tr/premiumsupport/knowledge-center/es-troubleshoot-cloudwatch-logs/).
-
@@ -208,2 +193,0 @@ Firehose
-**To create a`ConfigMap` for Firehose**
-
@@ -237 +221,24 @@ The following example shows you how to use the `kinesis_firehose` plugin to send
-       3. Download the Firehose IAM policy to your computer. You can also [view the policy](https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/kinesis-firehose/permissions.json) on GitHub.
+  3. Set up permissions for the Fargate Pod execution role to send logs to your destination.
+
+    1. Download the IAM policy for your destination to your computer.
+
+CloudWatch
+    
+
+Download the CloudWatch IAM policy to your computer. You can also [view the policy](https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/cloudwatchlogs/permissions.json) on GitHub.
+        
+                curl -O https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/cloudwatchlogs/permissions.json
+
+Amazon OpenSearch Service
+    
+
+Download the OpenSearch IAM policy to your computer. You can also [view the policy](https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/amazon-elasticsearch/permissions.json) on GitHub.
+        
+                curl -O https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/amazon-elasticsearch/permissions.json
+
+Make sure that OpenSearch Dashboards' access control is configured properly. The `all_access role` in OpenSearch Dashboards needs to have the Fargate Pod execution role and the IAM role mapped. The same mapping must be done for the `security_manager` role. You can add the previous mappings by selecting `Menu`, then `Security`, then `Roles`, and then select the respective roles. For more information, see [How do I troubleshoot CloudWatch Logs so that it streams to my Amazon ES domain?](https://aws.amazon.com/tr/premiumsupport/knowledge-center/es-troubleshoot-cloudwatch-logs/).
+
+Firehose
+    
+
+Download the Firehose IAM policy to your computer. You can also [view the policy](https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/kinesis-firehose/permissions.json) on GitHub.
@@ -241 +248 @@ The following example shows you how to use the `kinesis_firehose` plugin to send
-  3. Create an IAM policy from the policy file you downloaded in a previous step.
+    2. Create an IAM policy from the policy file that you downloaded.
@@ -245 +252 @@ The following example shows you how to use the `kinesis_firehose` plugin to send
-  4. Attach the IAM policy to the pod execution role specified for your Fargate profile with the following command. Replace `111122223333` with your account ID. Replace `AmazonEKSFargatePodExecutionRole` with your Pod execution role (for more information, see [Step 2: Create a Fargate Pod execution role](./fargate-getting-started.html#fargate-sg-pod-execution-role)).
+    3. Attach the IAM policy to the pod execution role specified for your Fargate profile with the following command. Replace `111122223333` with your account ID. Replace `AmazonEKSFargatePodExecutionRole` with your Pod execution role (for more information, see [Step 2: Create a Fargate Pod execution role](./fargate-getting-started.html#fargate-sg-pod-execution-role)).
@@ -308 +315 @@ You can optionally ship Fluent Bit process logs to Amazon CloudWatch using the f
-The logs are in the AWS Region that the cluster resides in under CloudWatch. The log group name is ` `my-cluster`-fluent-bit-logs` and the Fluent Bit logstream name is `fluent-bit-`podname`-`pod-namespace` `.
+The logs are in CloudWatch in the same AWS Region as the cluster. The log group name is ` `my-cluster`-fluent-bit-logs` and the Fluent Bit logstream name is `fluent-bit-`podname`-`pod-namespace` `.
@@ -323 +330 @@ Shipping Fluent Bit process logs to CloudWatch requires additional log ingestion
-  1. Locate the CloudWatch log group automatically created for your Amazon EKS cluster’s Fluent Bit process logs after enabling Fargate logging. It follows the format `{cluster_name}-fluent-bit-logs`.
+  1. Locate the CloudWatch log group automatically created for your Amazon EKS cluster’s Fluent Bit process logs after enabling Fargate logging. It follows the format ` `my-cluster`-fluent-bit-logs`.