AWS eks medium security documentation change
Summary
Added ec2:DeleteNetworkInterfaces permission to AmazonEKSClusterPolicy for cleaning up orphaned network interfaces from VPC CNI failures
Security assessment
Explicitly documents added IAM permission to address potential security risks from lingering network interfaces. The change log states this addition helps prevent resource leakage that could create security exposure.
Diff
diff --git a/eks/latest/userguide/security-iam-awsmanpol.md b/eks/latest/userguide/security-iam-awsmanpol.md index 628a7b306..e70b8e5ef 100644 --- a//eks/latest/userguide/security-iam-awsmanpol.md +++ b//eks/latest/userguide/security-iam-awsmanpol.md @@ -47,0 +48,2 @@ This policy includes the following permissions that allow Amazon EKS to complete + * **`ec2` ** \- Delete elastic network interfaces that are created by the VPC CNI. This is required so that EKS can clean up elastic network interfaces that are left behind if the VPC CNI quits unexpectedly. + @@ -416,0 +419 @@ Change | Description | Date +Added permissions to AmazonEKSClusterPolicy. | Added `ec2:DeleteNetworkInterfaces` permission to allow Amazon EKS to delete elastic network interfaces that are left behind if the VPC CNI quits unexpectedly. | April 16, 2023