AWS Security ChangesHomeSearch

AWS eks medium security documentation change

Service: eks · 2025-05-25 · Security-related medium

File: eks/latest/userguide/cluster-dashboard-orgs.md

Summary

Added 'Minimum IAM policies required' section detailing specific permissions needed for enabling trusted access and delegating administrators in EKS Dashboard integration with AWS Organizations

Security assessment

The change introduces explicit minimum IAM policies required for service access delegation, enforcing least privilege principles. This directly addresses potential over-permissioning risks by specifying exact required permissions, reducing attack surface from excessive privileges.

Diff

diff --git a/eks/latest/userguide/cluster-dashboard-orgs.md b/eks/latest/userguide/cluster-dashboard-orgs.md
index f8c8ef99e..3093a1866 100644
--- a//eks/latest/userguide/cluster-dashboard-orgs.md
+++ b//eks/latest/userguide/cluster-dashboard-orgs.md
@@ -5 +5 @@
-Enable trusted accessDisable trusted accessEnable a delegated administrator accountDisable a delegated administrator account
+Enable trusted accessDisable trusted accessEnable a delegated administrator accountDisable a delegated administrator accountMinimum IAM policies required
@@ -137,0 +138,55 @@ Disabling a delegated administrator removes the account’s permission to access
+## Minimum IAM policies required
+
+This section outlines the minimum IAM policies required to enable trusted access and delegate an administrator for the EKS Dashboard integration with AWS Organizations.
+
+### Policies for enabling trusted access
+
+To enable trusted access between EKS Dashboard and AWS Organizations, you need the following permissions:
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "organizations:EnableAWSServiceAccess",
+                    "organizations:DescribeOrganization",
+                    "organizations:ListAWSServiceAccessForOrganization"
+                ],
+                "Resource": "*"
+            },
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "iam:CreateServiceLinkedRole"
+                ],
+                "Resource": "arn:aws:iam::*:role/aws-service-role/dashboard.eks.amazonaws.com/AWSServiceRoleForAmazonEKSDashboard"
+            }
+        ]
+    }
+
+### Policies for delegating an administrator
+
+To register or deregister a delegated administrator for the EKS Dashboard, you need the following permissions:
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "organizations:RegisterDelegatedAdministrator",
+                    "organizations:DeregisterDelegatedAdministrator",
+                    "organizations:ListDelegatedAdministrators"
+                ],
+                "Resource": "*"
+            }
+        ]
+    }
+
+###### Note
+
+These policies must be attached to the IAM principal (user or role) in the management account of your AWS Organization. Member accounts cannot enable trusted access or delegate administrators.
+