AWS eks documentation change
Summary
Significant content reduction - removed detailed installation/configuration steps and replaced with references to separate documentation pages. The entire 'Prerequisites', 'Create IAM policy', 'Create IAM role', 'Install driver', 'Configure', 'Deploy sample app', and 'Remove driver' sections were deleted and replaced with links to dedicated pages.
Security assessment
The changes restructure documentation but don't directly address security vulnerabilities or add new security content. While IAM policy/role creation is security-related, the removal of these details doesn't indicate a security fix - it simply moves the documentation elsewhere. No evidence of addressing a specific vulnerability or weakness.
Diff
diff --git a/eks/latest/userguide/s3-csi.md b/eks/latest/userguide/s3-csi.md index bbdc08000..4e703bc47 100644 --- a//eks/latest/userguide/s3-csi.md +++ b//eks/latest/userguide/s3-csi.md @@ -5 +5 @@ -ConsiderationsPrerequisitesCreate an IAM policyCreate an IAM roleInstall the Mountpoint for Amazon S3 CSI driverConfigure Mountpoint for Amazon S3Deploy a sample applicationRemove Mountpoint for Amazon S3 CSI Driver +Considerations @@ -13 +13 @@ To contribute to this user guide, choose the **Edit this page on GitHub** link t -With the [Mountpoint for Amazon S3 Container Storage Interface (CSI) driver](https://github.com/awslabs/mountpoint-s3-csi-driver), your Kubernetes applications can access Amazon S3 objects through a file system interface, achieving high aggregate throughput without changing any application code. Built on [Mountpoint for Amazon S3](https://github.com/awslabs/mountpoint-s3), the CSI driver presents an Amazon S3 bucket as a volume that can be accessed by containers in Amazon EKS and self-managed Kubernetes clusters. This topic shows you how to deploy the Mountpoint for Amazon S3 CSI driver to your Amazon EKS cluster. +With the [Mountpoint for Amazon S3 Container Storage Interface (CSI) driver](https://github.com/awslabs/mountpoint-s3-csi-driver), your Kubernetes applications can access Amazon S3 objects through a file system interface, achieving high aggregate throughput without changing any application code. Built on [Mountpoint for Amazon S3](https://github.com/awslabs/mountpoint-s3), the CSI driver presents an Amazon S3 bucket as a volume that can be accessed by containers in Amazon EKS and self-managed Kubernetes clusters. @@ -34,426 +34 @@ Static provisioning refers to using an existing Amazon S3 bucket that is specifi -## Prerequisites - - * An existing AWS Identity and Access Management (IAM) OpenID Connect (OIDC) provider for your cluster. To determine whether you already have one, or to create one, see [Create an IAM OIDC provider for your cluster](./enable-iam-roles-for-service-accounts.html). - - * Version 2.12.3 or later of the AWS CLI installed and configured on your device or AWS CloudShell. - - * The `kubectl` command line tool is installed on your device or AWS CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see [Set up kubectl and eksctl](./install-kubectl.html). - - - - -## Create an IAM policy - -The Mountpoint for Amazon S3 CSI driver requires Amazon S3 permissions to interact with your file system. This section shows how to create an IAM policy that grants the necessary permissions. - -The following example policy follows the IAM permission recommendations for Mountpoint. Alternatively, you can use the AWS managed policy [AmazonS3FullAccess](https://console.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/AmazonS3FullAccess$jsonEditor), but this managed policy grants more permissions than are needed for Mountpoint. - -For more information about the recommended permissions for Mountpoint, see [Mountpoint IAM permissions](https://github.com/awslabs/mountpoint-s3/blob/main/doc/CONFIGURATION.md#iam-permissions) on GitHub. - - 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). - - 2. In the left navigation pane, choose **Policies**. - - 3. On the **Policies** page, choose **Create policy**. - - 4. For **Policy editor** , choose **JSON**. - - 5. Under **Policy editor** , copy and paste the following: - -###### Important - -Replace `amzn-s3-demo-bucket1` with your own Amazon S3 bucket name. - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "MountpointFullBucketAccess", - "Effect": "Allow", - "Action": [ - "s3:ListBucket" - ], - "Resource": [ - "arn:aws:s3:::amzn-s3-demo-bucket1" - ] - }, - { - "Sid": "MountpointFullObjectAccess", - "Effect": "Allow", - "Action": [ - "s3:GetObject", - "s3:PutObject", - "s3:AbortMultipartUpload", - "s3:DeleteObject" - ], - "Resource": [ - "arn:aws:s3:::amzn-s3-demo-bucket1/*" - ] - } - ] - } - -Directory buckets, introduced with the Amazon S3 Express One Zone storage class, use a different authentication mechanism from general purpose buckets. Instead of using `s3:*` actions, you should use the `s3express:CreateSession` action. For information about directory buckets, see [Directory buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-overview.html) in the _Amazon S3 User Guide_. - -Below is an example of least-privilege policy that you would use for a directory bucket. - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "s3express:CreateSession", - "Resource": "arn:aws:s3express:us-west-2:111122223333:bucket/amzn-s3-demo-bucket1--usw2-az1--x-s3" - } - ] - } - - 6. Choose **Next**. - - 7. On the **Review and create** page, name your policy. This example walkthrough uses the name `AmazonS3CSIDriverPolicy`. - - 8. Choose **Create policy**. - - - - -## Create an IAM role - -The Mountpoint for Amazon S3 CSI driver requires Amazon S3 permissions to interact with your file system. This section shows how to create an IAM role to delegate these permissions. To create this role, you can use one of these tools: - - * eksctl - - * AWS Management Console - - * AWS CLI - - - - -###### Note - -The IAM policy `AmazonS3CSIDriverPolicy` was created in the previous section. - -### eksctl - -**To create your Mountpoint for Amazon S3 CSI driver IAM role with`eksctl` ** - -To create the IAM role and the Kubernetes service account, run the following commands. These commands also attach the `AmazonS3CSIDriverPolicy` IAM policy to the role, annotate the Kubernetes service account (`s3-csi-controller-sa`) with the IAM role’s Amazon Resource Name (ARN), and add the Kubernetes service account name to the trust policy for the IAM role. - - - CLUSTER_NAME=my-cluster - REGION=region-code - ROLE_NAME=AmazonEKS_S3_CSI_DriverRole - POLICY_ARN=AmazonEKS_S3_CSI_DriverRole_ARN - eksctl create iamserviceaccount \ - --name s3-csi-driver-sa \ - --namespace kube-system \ - --cluster $CLUSTER_NAME \ - --attach-policy-arn $POLICY_ARN \ - --approve \ - --role-name $ROLE_NAME \ - --region $REGION \ - --role-only - -### AWS Management Console - - 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). - - 2. In the left navigation pane, choose **Roles**. - - 3. On the **Roles** page, choose **Create role**. - - 4. On the **Select trusted entity** page, do the following: - - 1. In the **Trusted entity type** section, choose **Web identity**. - - 2. For **Identity provider** , choose the **OpenID Connect provider URL** for your cluster (as shown under **Overview** in Amazon EKS). - -If no URLs are shown, review the Prerequisites. - - 3. For **Audience** , choose `sts.amazonaws.com`. - - 4. Choose **Next**. - - 5. On the **Add permissions** page, do the following: - - 1. In the **Filter policies** box, enter AmazonS3CSIDriverPolicy. - -###### Note - -This policy was created in the previous section. - - 2. Select the check box to the left of the `AmazonS3CSIDriverPolicy` result that was returned in the search. - - 3. Choose **Next**. - - 6. On the **Name, review, and create** page, do the following: - - 1. For **Role name** , enter a unique name for your role, such as AmazonEKS_S3_CSI_DriverRole. - - 2. Under **Add tags (Optional)** , add metadata to the role by attaching tags as key-value pairs. For more information about using tags in IAM, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the _IAM User Guide_. - - 3. Choose **Create role**. - - 7. After the role is created, choose the role in the console to open it for editing. - - 8. Choose the **Trust relationships** tab, and then choose **Edit trust policy**. - - 9. Find the line that looks similar to the following: - - "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud": "sts.amazonaws.com" - -Add a comma to the end of the previous line, and then add the following line after it. Replace `region-code` with the AWS Region that your cluster is in. Replace `EXAMPLED539D4633E53DE1B71EXAMPLE` with your cluster’s OIDC provider ID. - - "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:kube-system:s3-csi-driver-sa" - - 10. Ensure that the `Condition` operator is set to `"StringEquals"`. - - 11. Choose **Update policy** to finish. - - - - -### AWS CLI - - 1. View the OIDC provider URL for your cluster. Replace `my-cluster` with the name of your cluster. If the output from the command is `None`, review the Prerequisites. - - aws eks describe-cluster --name my-cluster --query "cluster.identity.oidc.issuer" --output text -