AWS codepipeline medium security documentation change
Summary
Updated EKS action reference with cross-account guidance, parameter corrections, and IAM policy ARN restrictions
Security assessment
Changed IAM resource from wildcard ('eks:*') to specific ARN in example policy, addressing potential over-permission security risks through least privilege implementation.
Diff
diff --git a/codepipeline/latest/userguide/action-reference-EKS.md index a62df145e..c329b52ce 100644 --- a/codepipeline/latest/userguide/action-reference-EKS.md +++ b/codepipeline/latest/userguide/action-reference-EKS.md @@ -7 +7 @@ Action typeConfiguration parameters Input artifactsOutput artifactsEnvironment v -# Amazon Elastic Kubernetes Service `EKSDeploy` action reference +# Amazon Elastic Kubernetes Service `EKS` deploy action reference @@ -23 +23 @@ The EKS action supports both public and private EKS clusters. Private clusters a -The EKS action is supported for cross-account or cross-Region actions. +The EKS action is supported for cross-account actions. To add a cross-account EKS action, add `actionRoleArn` from your target account in the action declaration. @@ -115 +115 @@ Required: No -The variable namespace for the action. +The kubernetes namepsace to be used in `kubectl` or `helm` commands. @@ -124 +124 @@ The subnets for the VPC for your cluster. These are part of the same VPC that is -**SecurityGroups** +**SecurityGroupIds** @@ -135 +135 @@ The security groups for the VPC for your cluster. These are part of the same VPC - * **Description:** The action looks for the Kubernetes manifest file or Helm chart in the source file repository for the pipeline. ). + * **Description:** The action looks for the Kubernetes manifest file or Helm chart in the source file repository for the pipeline). @@ -226 +226 @@ In the service role policy statement, scope down the permissions to the resource - "Resource": "eks:" + "Resource": "arn:aws:eks:*:YOUR_AWS_ACCOUNT_ID:cluster/YOUR_CLUSTER_NAME" @@ -241 +241 @@ In the service role policy statement, scope down the permissions to the resource - "Resource": "ec2:" + "Resource": "*" @@ -250 +250 @@ In the service role policy statement, scope down the permissions to the resource - "Resource": "log:" + "Resource": [ "arn:aws:logs:*:YOUR_AWS_ACCOUNT_ID:log-group:/aws/codepipeline/YOUR_PIPELINE_NAME","arn:aws:logs:*:YOUR_AWS_ACCOUNT_ID:log-group:/aws/codepipeline/YOUR_PIPELINE_NAME:*"]