AWS eks medium security documentation change
Summary
Added multiple notes clarifying that specific access policies are restricted to AWS service-linked roles and cannot be used with customer-managed roles
Security assessment
The changes explicitly restrict policy usage to prevent potential privilege escalation through customer-managed roles. This clarifies security boundaries and prevents misconfiguration that could lead to unauthorized access.
Diff
diff --git a/eks/latest/userguide/access-policy-permissions.md b/eks/latest/userguide/access-policy-permissions.md index 2e638c6ca..a46e58039 100644 --- a//eks/latest/userguide/access-policy-permissions.md +++ b//eks/latest/userguide/access-policy-permissions.md @@ -143,0 +144,4 @@ If you manually specifiy a Node IAM role in a NodeClass, you need to create an A +###### Note + +This policy is designated for AWS service-linked roles only and cannot be used with customer-managed roles. + @@ -188,0 +193,4 @@ Amazon EKS automatically creates an access entry with this access policy for the +###### Note + +This policy is designated for AWS service-linked roles only and cannot be used with customer-managed roles. + @@ -203,0 +212,4 @@ Amazon EKS automatically creates an access entry with this access policy for the +###### Note + +This policy is designated for AWS service-linked roles only and cannot be used with customer-managed roles. + @@ -265,0 +278,4 @@ Amazon EKS automatically creates an access entry with this access policy for the +###### Note + +This policy is designated for AWS service-linked roles only and cannot be used with customer-managed roles. + @@ -429,0 +446,4 @@ Amazon EKS automatically creates an access entry with this access policy for the +###### Note + +This policy is designated for AWS service-linked roles only and cannot be used with customer-managed roles. + @@ -439,0 +460,4 @@ Kubernetes API groups | Kubernetes nonResourceURLs | Kubernetes resources | Kube +###### Note + +This policy is designated for AWS service-linked roles only and cannot be used with customer-managed roles. +