AWS eks documentation change
Summary
Restructured IAM policy setup steps for CloudWatch, OpenSearch, and Firehose logging destinations. Consolidated download instructions and OpenSearch security configuration details under a unified permissions section. Updated log group region description formatting.
Security assessment
Added explicit instructions for OpenSearch Dashboards access control configuration including role mappings for security_manager and all_access roles. While this improves security documentation, there's no evidence of addressing a specific vulnerability or incident.
Diff
diff --git a/eks/latest/userguide/fargate-logging.md index 9dfb90c11..75b387cc0 100644 --- a/eks/latest/userguide/fargate-logging.md +++ b/eks/latest/userguide/fargate-logging.md @@ -111,2 +110,0 @@ CloudWatch -**To create a`ConfigMap` for CloudWatch** - @@ -164,4 +161,0 @@ The following example shows you how to use the `cloudwatch_logs` plugin to send - 3. Download the CloudWatch IAM policy to your computer. You can also [view the policy](https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/cloudwatchlogs/permissions.json) on GitHub. - - curl -O https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/cloudwatchlogs/permissions.json - @@ -171,2 +164,0 @@ Amazon OpenSearch Service -**To create a`ConfigMap` for Amazon OpenSearch Service** - @@ -199,6 +190,0 @@ If you want to send logs to Amazon OpenSearch Service, you can use [es](https:// - 3. Download the OpenSearch IAM policy to your computer. You can also [view the policy](https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/amazon-elasticsearch/permissions.json) on GitHub. - - curl -O https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/amazon-elasticsearch/permissions.json - -Make sure that OpenSearch Dashboards' access control is configured properly. The `all_access role` in OpenSearch Dashboards needs to have the Fargate Pod execution role and the IAM role mapped. The same mapping must be done for the `security_manager` role. You can add the previous mappings by selecting `Menu`, then `Security`, then `Roles`, and then select the respective roles. For more information, see [How do I troubleshoot CloudWatch Logs so that it streams to my Amazon ES domain?](https://aws.amazon.com/tr/premiumsupport/knowledge-center/es-troubleshoot-cloudwatch-logs/). - @@ -208,2 +193,0 @@ Firehose -**To create a`ConfigMap` for Firehose** - @@ -237 +221,24 @@ The following example shows you how to use the `kinesis_firehose` plugin to send - 3. Download the Firehose IAM policy to your computer. You can also [view the policy](https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/kinesis-firehose/permissions.json) on GitHub. + 3. Set up permissions for the Fargate Pod execution role to send logs to your destination. + + 1. Download the IAM policy for your destination to your computer. + +CloudWatch + + +Download the CloudWatch IAM policy to your computer. You can also [view the policy](https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/cloudwatchlogs/permissions.json) on GitHub. + + curl -O https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/cloudwatchlogs/permissions.json + +Amazon OpenSearch Service + + +Download the OpenSearch IAM policy to your computer. You can also [view the policy](https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/amazon-elasticsearch/permissions.json) on GitHub. + + curl -O https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/amazon-elasticsearch/permissions.json + +Make sure that OpenSearch Dashboards' access control is configured properly. The `all_access role` in OpenSearch Dashboards needs to have the Fargate Pod execution role and the IAM role mapped. The same mapping must be done for the `security_manager` role. You can add the previous mappings by selecting `Menu`, then `Security`, then `Roles`, and then select the respective roles. For more information, see [How do I troubleshoot CloudWatch Logs so that it streams to my Amazon ES domain?](https://aws.amazon.com/tr/premiumsupport/knowledge-center/es-troubleshoot-cloudwatch-logs/). + +Firehose + + +Download the Firehose IAM policy to your computer. You can also [view the policy](https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/kinesis-firehose/permissions.json) on GitHub. @@ -241 +248 @@ The following example shows you how to use the `kinesis_firehose` plugin to send - 3. Create an IAM policy from the policy file you downloaded in a previous step. + 2. Create an IAM policy from the policy file that you downloaded. @@ -245 +252 @@ The following example shows you how to use the `kinesis_firehose` plugin to send - 4. Attach the IAM policy to the pod execution role specified for your Fargate profile with the following command. Replace `111122223333` with your account ID. Replace `AmazonEKSFargatePodExecutionRole` with your Pod execution role (for more information, see [Step 2: Create a Fargate Pod execution role](./fargate-getting-started.html#fargate-sg-pod-execution-role)). + 3. Attach the IAM policy to the pod execution role specified for your Fargate profile with the following command. Replace `111122223333` with your account ID. Replace `AmazonEKSFargatePodExecutionRole` with your Pod execution role (for more information, see [Step 2: Create a Fargate Pod execution role](./fargate-getting-started.html#fargate-sg-pod-execution-role)). @@ -308 +315 @@ You can optionally ship Fluent Bit process logs to Amazon CloudWatch using the f -The logs are in the AWS Region that the cluster resides in under CloudWatch. The log group name is ` `my-cluster`-fluent-bit-logs` and the Fluent Bit logstream name is `fluent-bit-`podname`-`pod-namespace` `. +The logs are in CloudWatch in the same AWS Region as the cluster. The log group name is ` `my-cluster`-fluent-bit-logs` and the Fluent Bit logstream name is `fluent-bit-`podname`-`pod-namespace` `. @@ -323 +330 @@ Shipping Fluent Bit process logs to CloudWatch requires additional log ingestion - 1. Locate the CloudWatch log group automatically created for your Amazon EKS cluster’s Fluent Bit process logs after enabling Fargate logging. It follows the format `{cluster_name}-fluent-bit-logs`. + 1. Locate the CloudWatch log group automatically created for your Amazon EKS cluster’s Fluent Bit process logs after enabling Fargate logging. It follows the format ` `my-cluster`-fluent-bit-logs`.