AWS prometheus medium security documentation change
Summary
Updated IAM role configuration with specific OIDC provider ARN and added 'aud' claim condition
Security assessment
Added 'aud' (audience) claim validation to OIDC conditions ensures tokens are intended for AWS STS, preventing token misuse. This addresses potential misconfigurations in IAM trust policies.
Diff
diff --git a/prometheus/latest/userguide/AMP-onboard-ingest-metrics-OpenTelemetry.md b/prometheus/latest/userguide/AMP-onboard-ingest-metrics-OpenTelemetry.md index 362786f43..9f1d540e7 100644 --- a//prometheus/latest/userguide/AMP-onboard-ingest-metrics-OpenTelemetry.md +++ b//prometheus/latest/userguide/AMP-onboard-ingest-metrics-OpenTelemetry.md @@ -44,0 +45,6 @@ The ADOT Collector will use this role when it scrapes and exports metrics. +JSON + + +**** + + @@ -51 +57 @@ The ADOT Collector will use this role when it scrapes and exports metrics. - "Federated": "arn:aws:iam::account-id:oidc-provider/oidc.eks.region.amazonaws.com/id/openid" + "Federated": "arn:aws:iam::111122223333:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE" @@ -56 +62,2 @@ The ADOT Collector will use this role when it scrapes and exports metrics. - "oidc.eks.region.amazonaws.com/id/openid:sub": "system:serviceaccount:adot-col:amp-iamproxy-ingest-service-account" + "oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:adot-col:amp-iamproxy-ingest-service-account", + "oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud": "sts.amazonaws.com" @@ -64,0 +73,6 @@ The ADOT Collector will use this role when it scrapes and exports metrics. +JSON + + +**** + +