AWS step-functions medium security documentation change
Summary
Updated EKS integration examples: changed 'Parameters' to 'Arguments', replaced specific account IDs/regions with placeholders, and clarified IAM role ARN formatting in aws-auth ConfigMap examples
Security assessment
The change replaces hardcoded account IDs (123456789012) with 'account-id' placeholders and clarifies proper IAM role ARN formatting to exclude '/service-role/' paths. This prevents potential security misconfigurations where users might accidentally expose real account details or create incorrect role mappings that could lead to unauthorized access.
Diff
diff --git a/step-functions/latest/dg/connect-eks.md b/step-functions/latest/dg/connect-eks.md index 374fa9851..a5efa533a 100644 --- a//step-functions/latest/dg/connect-eks.md +++ b//step-functions/latest/dg/connect-eks.md @@ -19 +19 @@ To learn about integrating with AWS services in Step Functions, see [Integrating - * There are no optimizations for the [Request Response](./connect-to-resource.html#connect-default) integration pattern. + * There are no specific optimizations for the [Request Response](./connect-to-resource.html#connect-default) integration pattern. @@ -151 +151 @@ The following example includes a `Task` state that runs a job, waits for it to c - "Parameters": { + "Arguments": { @@ -264 +264 @@ The following includes a `Task` state that uses `eks:call` to list the pods belo - "Parameters": { + "Arguments": { @@ -290 +290 @@ The following includes a `Task` state that uses `eks:call` to delete the job `ex - "Parameters": { + "Arguments": { @@ -381 +381 @@ The following includes a `Task` that creates an Amazon EKS cluster. - "Parameters": { + "Arguments": { @@ -389 +389 @@ The following includes a `Task` that creates an Amazon EKS cluster. - "RoleArn": "arn:aws:iam::123456789012:role/MyEKSClusterRole" + "RoleArn": "arn:aws:iam::account-id:role/MyEKSClusterRole" @@ -405 +405 @@ The following includes a `Task` state that deletes an Amazon EKS cluster. - "Parameters": { + "Arguments": { @@ -422 +422 @@ The following includes a `Task` state that creates a Fargate profile. - "Parameters": { + "Arguments": { @@ -425 +425 @@ The following includes a `Task` state that creates a Fargate profile. - "PodExecutionRoleArn": "arn:aws:iam::123456789012:role/MyFargatePodExecutionRole", + "PodExecutionRoleArn": "arn:aws:iam::account-id:role/MyFargatePodExecutionRole", @@ -445 +445 @@ The following includes a `Task` state that deletes a Fargate profile. - "Parameters": { + "Arguments": { @@ -463 +463 @@ The following includes a `Task` state that creates a node group. - "Parameters": { + "Arguments": { @@ -466 +466 @@ The following includes a `Task` state that creates a node group. - "NodeRole": "arn:aws:iam::123456789012:role/MyNodeInstanceRole", + "NodeRole": "arn:aws:iam::account-id:role/MyNodeInstanceRole", @@ -483 +483 @@ The following includes a `Task` state that deletes a node group. - "Parameters": { + "Arguments": { @@ -498 +498 @@ You can add permission for additional IAM entities, such as users or roles, by a -The following includes a `Task` state that creates an `aws-auth` `ConfigMap` and grants `system:masters` permission to the user `arn:aws:iam::123456789012:user/my-user` and the IAM role `arn:aws:iam::123456789012:role/my-role`. +The following includes a `Task` state that creates an `aws-auth` `ConfigMap` and grants `system:masters` permission to the user `arn:aws:iam::`account-id`:user/my-user` and the IAM role `arn:aws:iam::`account-id`:role/my-role`. @@ -507 +507 @@ The following includes a `Task` state that creates an `aws-auth` `ConfigMap` and - "Parameters": { + "Arguments": { @@ -510 +510 @@ The following includes a `Task` state that creates an `aws-auth` `ConfigMap` and - "Endpoint": "https://444455556666.yl4.us-east-1.eks.amazonaws.com", + "Endpoint": "https://444455556666.yl4.region.eks.amazonaws.com", @@ -521,2 +521,2 @@ The following includes a `Task` state that creates an `aws-auth` `ConfigMap` and - "mapUsers": "[{ \"userarn\": \"arn:aws:iam::123456789012:user/my-user\", \"username\": \"my-user\", \"groups\": [ \"system:masters\" ] } ]", - "mapRoles": "[{ \"rolearn\": \"arn:aws:iam::123456789012:role/my-role\", \"username\": \"my-role\", \"groups\": [ \"system:masters\" ] } ]" + "mapUsers": "[{ \"userarn\": \"arn:aws:iam::account-id:user/my-user\", \"username\": \"my-user\", \"groups\": [ \"system:masters\" ] } ]", + "mapRoles": "[{ \"rolearn\": \"arn:aws:iam::account-id:role/my-role\", \"username\": \"my-role\", \"groups\": [ \"system:masters\" ] } ]" @@ -532 +532 @@ The following includes a `Task` state that creates an `aws-auth` `ConfigMap` and -You may see the ARN for an IAM role displayed in a format that includes the path **/service-role/** , such as `arn:aws:iam::123456789012:role/`service-role`/my-role`. This **service-role** path token should not be included when listing the role in `aws-auth`. +You may see the ARN for an IAM role displayed in a format that includes the path **/service-role/** , such as `arn:aws:iam::`account-id`:role/`service-role`/my-role`. This **service-role** path token should not be included when listing the role in `aws-auth`.