AWS rosa documentation change
Summary
Updated ROSANodePoolManagementPolicy to include permissions for tagging network interfaces attached to worker nodes
Security assessment
The change adds resource tagging permissions which is an operational feature rather than a security control. No evidence of addressing a security vulnerability or adding security-specific capabilities is present in the diff.
Diff
diff --git a/rosa/latest/userguide/security-iam-awsmanpol.md b/rosa/latest/userguide/security-iam-awsmanpol.md index d69de9830..e9164bd02 100644 --- a//rosa/latest/userguide/security-iam-awsmanpol.md +++ b//rosa/latest/userguide/security-iam-awsmanpol.md @@ -226 +226 @@ You can attach `ROSANodePoolManagementPolicy` to your IAM entities. You must att -This policy grants required permissions to the NodePool controller to describe, run, and terminate Amazon EC2 instances managed as worker nodes. This policy also grants permissions to allow for disk encryption of the worker node root volume using AWS KMS keys. For more information about this controller, see [Controller architecture](https://hypershift-docs.netlify.app/reference/controller-architecture/) in the OpenShift documentation. +This policy grants required permissions to the NodePool controller to describe, run, and terminate Amazon EC2 instances managed as worker nodes. This policy also grants permissions to allow for disk encryption of the worker node root volume using AWS KMS keys, and to tag the elastic network interface that is attached to the worker node. For more information about this controller, see [Controller architecture](https://hypershift-docs.netlify.app/reference/controller-architecture/) in the OpenShift documentation. @@ -284,0 +285 @@ Change | Description | Date +ROSANodePoolManagementPolicy — Policy updated | ROSA updated the policy to allow tagging of the elastic network interface that is attached to the worker node. To learn more, see AWS managed policy: ROSANodePoolManagementPolicy. | May 5, 2025