AWS AWSCloudFormation high security documentation change
Summary
Added DisableSessionTags property, TargetRoleArn property, and ExternalId return value documentation for EKS Pod Identity associations
Security assessment
Added documentation for ExternalId to prevent confused deputy problem through trust policy conditions. DisableSessionTags controls security-related session tags. TargetRoleArn enables cross-account role assumption security patterns.
Diff
diff --git a/AWSCloudFormation/latest/TemplateReference/aws-resource-eks-podidentityassociation.md b/AWSCloudFormation/latest/TemplateReference/aws-resource-eks-podidentityassociation.md index 233c49586..569f1836f 100644 --- a//AWSCloudFormation/latest/TemplateReference/aws-resource-eks-podidentityassociation.md +++ b//AWSCloudFormation/latest/TemplateReference/aws-resource-eks-podidentityassociation.md @@ -21,0 +22 @@ To declare this entity in your AWS CloudFormation template, use the following sy + "DisableSessionTags" : Boolean, @@ -25 +26,2 @@ To declare this entity in your AWS CloudFormation template, use the following sy - "Tags" : [ [Tag](./aws-properties-eks-podidentityassociation-tag.html), ... ] + "Tags" : [ [Tag](./aws-properties-eks-podidentityassociation-tag.html), ... ], + "TargetRoleArn" : String @@ -35,0 +38 @@ To declare this entity in your AWS CloudFormation template, use the following sy + DisableSessionTags: Boolean @@ -40,0 +44 @@ To declare this entity in your AWS CloudFormation template, use the following sy + TargetRoleArn: String @@ -57,0 +62,15 @@ _Required_ : Yes +`DisableSessionTags` + + +The state of the automatic sessions tags. The value of _true_ disables these tags. + +EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. You can use these tags to author a single role that can work across resources by allowing access to AWS resources based on matching tags. By default, EKS Pod Identity attaches six tags, including tags for cluster name, namespace, and service account name. For the list of tags added by EKS Pod Identity, see [List of session tags added by EKS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-id-abac.html#pod-id-abac-tags) in the _Amazon EKS User Guide_. + +_Required_ : No + + _Type_ : Boolean + + _Minimum_ : `1` + + _Update requires_ : [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) + @@ -61 +80 @@ _Required_ : Yes -The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the pods that use the service account must be in this namespace. +The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the Pods that use the service account must be in this namespace. @@ -72 +91 @@ _Required_ : Yes -The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the pods that use this service account. +The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the Pods that use this service account. @@ -120,0 +140,13 @@ _Required_ : No +`TargetRoleArn` + + +The Amazon Resource Name (ARN) of the target IAM role to associate with the service account. This role is assumed by using the EKS Pod Identity association role, then the credentials for this role are injected into the Pod. + +_Required_ : No + + _Type_ : String + + _Minimum_ : `1` + + _Update requires_ : [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) + @@ -150,0 +183,7 @@ The ID of the association. +`ExternalId` + + +The unique identifier for this EKS Pod Identity association for a target IAM role. You put this value in the trust policy of the target role, in a `Condition` to match the `sts.ExternalId`. This ensures that the target role can only be assumed by this association. This prevents the _confused deputy problem_. For more information about the confused deputy problem, see [The confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html) in the _IAM User Guide_. + +If you want to use the same target role with multiple associations or other roles, use independent statements in the trust policy to allow `sts:AssumeRole` access from each role. +