AWS elasticbeanstalk documentation change
Summary
Expanded documentation about EC2 instance profile requirements, including new guidance for environments using secrets from AWS Secrets Manager/Parameter Store
Security assessment
Adds documentation about required permissions for secure secret management but doesn't indicate a specific vulnerability being addressed
Diff
diff --git a/elasticbeanstalk/latest/dg/create_deploy_docker_ecs_role.md b/elasticbeanstalk/latest/dg/create_deploy_docker_ecs_role.md index 2cd0a3bce..696bef505 100644 --- a/elasticbeanstalk/latest/dg/create_deploy_docker_ecs_role.md +++ b/elasticbeanstalk/latest/dg/create_deploy_docker_ecs_role.md @@ -5 +5 @@ -# Container instance role +# Container managed policy and EC2 instance role @@ -7 +7 @@ -If your environment uses a custom instance profile instead of the default, attach the `AWSElasticBeanstalkMulticontainerDocker` managed policy to make sure the required permissions for container management stay up-to-date. This managed policy is attached to the default [instance profile](./concepts-roles.html) when you create an environment in the Elastic Beanstalk console: +When you create an environment in the Elastic Beanstalk console, it prompts you to create a default instance profile that includes the `AWSElasticBeanstalkMulticontainerDocker` managed policy. So initially, your default EC2 instance profile, should include this managed policy. If your environment uses a custom EC2 instance profile role instead of the default, make sure that the managed policy `AWSElasticBeanstalkMulticontainerDocker` is attached so the required permissions for container management stay up-to-date. @@ -11 +11 @@ Elastic Beanstalk uses an Amazon ECS-optimized AMI with an Amazon ECS container -If you create your own instance profile, you can attach the `AWSElasticBeanstalkMulticontainerDocker` managed policy to make sure the permissions stay up-to-date. For instructions to create policies and roles in IAM, see [ Creating IAM Roles](http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-creatingrole.html) in the IAM User Guide. +If you use Elastic Beanstalk environment variables that are configured to access secrets or parameters that are stored in AWS Secrets Manager or AWS Systems Manager Parameter Store, you must customize your EC2 instance profile with additional permissions. For more information, see [Execution Role ARN format](./create_deploy_docker_v2config.html#create_deploy_docker_v2config_executionRoleArn_format).