AWS Security ChangesHomeSearch

AWS step-functions medium security documentation change

Service: step-functions · 2025-04-18 · Security-related medium

File: step-functions/latest/dg/connect-eks.md

Summary

Updated EKS integration examples: changed 'Parameters' to 'Arguments', replaced specific account IDs/regions with placeholders, and clarified IAM role ARN formatting in aws-auth ConfigMap examples

Security assessment

The change replaces hardcoded account IDs (123456789012) with 'account-id' placeholders and clarifies proper IAM role ARN formatting to exclude '/service-role/' paths. This prevents potential security misconfigurations where users might accidentally expose real account details or create incorrect role mappings that could lead to unauthorized access.

Diff

diff --git a/step-functions/latest/dg/connect-eks.md b/step-functions/latest/dg/connect-eks.md
index 374fa9851..a5efa533a 100644
--- a//step-functions/latest/dg/connect-eks.md
+++ b//step-functions/latest/dg/connect-eks.md
@@ -19 +19 @@ To learn about integrating with AWS services in Step Functions, see [Integrating
-  * There are no optimizations for the [Request Response](./connect-to-resource.html#connect-default) integration pattern.
+  * There are no specific optimizations for the [Request Response](./connect-to-resource.html#connect-default) integration pattern.
@@ -151 +151 @@ The following example includes a `Task` state that runs a job, waits for it to c
-          "Parameters": {
+          "Arguments": {
@@ -264 +264 @@ The following includes a `Task` state that uses `eks:call` to list the pods belo
-          "Parameters": {
+          "Arguments": {
@@ -290 +290 @@ The following includes a `Task` state that uses `eks:call` to delete the job `ex
-          "Parameters": {
+          "Arguments": {
@@ -381 +381 @@ The following includes a `Task` that creates an Amazon EKS cluster.
-          "Parameters": {
+          "Arguments": {
@@ -389 +389 @@ The following includes a `Task` that creates an Amazon EKS cluster.
-            "RoleArn": "arn:aws:iam::123456789012:role/MyEKSClusterRole"
+            "RoleArn": "arn:aws:iam::account-id:role/MyEKSClusterRole"
@@ -405 +405 @@ The following includes a `Task` state that deletes an Amazon EKS cluster.
-          "Parameters": {
+          "Arguments": {
@@ -422 +422 @@ The following includes a `Task` state that creates a Fargate profile.
-          "Parameters": {
+          "Arguments": {
@@ -425 +425 @@ The following includes a `Task` state that creates a Fargate profile.
-            "PodExecutionRoleArn": "arn:aws:iam::123456789012:role/MyFargatePodExecutionRole",
+            "PodExecutionRoleArn": "arn:aws:iam::account-id:role/MyFargatePodExecutionRole",
@@ -445 +445 @@ The following includes a `Task` state that deletes a Fargate profile.
-          "Parameters": {
+          "Arguments": {
@@ -463 +463 @@ The following includes a `Task` state that creates a node group.
-          "Parameters": {
+          "Arguments": {
@@ -466 +466 @@ The following includes a `Task` state that creates a node group.
-            "NodeRole": "arn:aws:iam::123456789012:role/MyNodeInstanceRole",
+            "NodeRole": "arn:aws:iam::account-id:role/MyNodeInstanceRole",
@@ -483 +483 @@ The following includes a `Task` state that deletes a node group.
-          "Parameters": {
+          "Arguments": {
@@ -498 +498 @@ You can add permission for additional IAM entities, such as users or roles, by a
-The following includes a `Task` state that creates an `aws-auth` `ConfigMap` and grants `system:masters` permission to the user `arn:aws:iam::123456789012:user/my-user` and the IAM role `arn:aws:iam::123456789012:role/my-role`.
+The following includes a `Task` state that creates an `aws-auth` `ConfigMap` and grants `system:masters` permission to the user `arn:aws:iam::`account-id`:user/my-user` and the IAM role `arn:aws:iam::`account-id`:role/my-role`.
@@ -507 +507 @@ The following includes a `Task` state that creates an `aws-auth` `ConfigMap` and
-          "Parameters": {
+          "Arguments": {
@@ -510 +510 @@ The following includes a `Task` state that creates an `aws-auth` `ConfigMap` and
-            "Endpoint": "https://444455556666.yl4.us-east-1.eks.amazonaws.com",
+            "Endpoint": "https://444455556666.yl4.region.eks.amazonaws.com",
@@ -521,2 +521,2 @@ The following includes a `Task` state that creates an `aws-auth` `ConfigMap` and
-                 "mapUsers": "[{ \"userarn\": \"arn:aws:iam::123456789012:user/my-user\", \"username\": \"my-user\", \"groups\": [ \"system:masters\" ] } ]",
-                 "mapRoles": "[{ \"rolearn\": \"arn:aws:iam::123456789012:role/my-role\", \"username\": \"my-role\", \"groups\": [ \"system:masters\" ] } ]"
+                 "mapUsers": "[{ \"userarn\": \"arn:aws:iam::account-id:user/my-user\", \"username\": \"my-user\", \"groups\": [ \"system:masters\" ] } ]",
+                 "mapRoles": "[{ \"rolearn\": \"arn:aws:iam::account-id:role/my-role\", \"username\": \"my-role\", \"groups\": [ \"system:masters\" ] } ]"
@@ -532 +532 @@ The following includes a `Task` state that creates an `aws-auth` `ConfigMap` and
-You may see the ARN for an IAM role displayed in a format that includes the path **/service-role/** , such as `arn:aws:iam::123456789012:role/`service-role`/my-role`. This **service-role** path token should not be included when listing the role in `aws-auth`.
+You may see the ARN for an IAM role displayed in a format that includes the path **/service-role/** , such as `arn:aws:iam::`account-id`:role/`service-role`/my-role`. This **service-role** path token should not be included when listing the role in `aws-auth`.