AWS prometheus medium security documentation change
Summary
Updated OIDC provider ARN and added 'aud' claim condition for Grafana service account
Security assessment
Inclusion of 'aud' claim validation strengthens OIDC token verification, reducing risks of token replay attacks. This is a security best practice for IAM roles.
Diff
diff --git a/prometheus/latest/userguide/AMP-onboard-query-grafana-7.3.md b/prometheus/latest/userguide/AMP-onboard-query-grafana-7.3.md index b926911d6..b43fe9293 100644 --- a//prometheus/latest/userguide/AMP-onboard-query-grafana-7.3.md +++ b//prometheus/latest/userguide/AMP-onboard-query-grafana-7.3.md @@ -57,0 +58,6 @@ You then need to add the Grafana service account in the conditions of the trust +JSON + + +**** + + @@ -64 +70 @@ You then need to add the Grafana service account in the conditions of the trust - "Federated": "arn:aws:iam::account-id:oidc-provider/oidc.eks.aws_region.amazonaws.com/id/openid" + "Federated": "arn:aws:iam::111122223333:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE" @@ -69 +75 @@ You then need to add the Grafana service account in the conditions of the trust - "oidc.eks.region.amazonaws.com/id/openid:sub": [ + "oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": [ @@ -72 +78,2 @@ You then need to add the Grafana service account in the conditions of the trust - ] + ], + "oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud": "sts.amazonaws.com"