AWS eks documentation change
Summary
Added requirement for 'eks:ListAccessEntries' IAM permission and clarified SSM policy reference
Security assessment
The change documents a new required IAM permission (eks:ListAccessEntries) for validating cluster access entries. While this improves security posture by enforcing proper access controls, there is no evidence it addresses an existing vulnerability. It adds security-related documentation to guide proper configuration.
Diff
diff --git a/eks/latest/userguide/hybrid-nodes-creds.md b/eks/latest/userguide/hybrid-nodes-creds.md index b19b67b05..eb8282d1e 100644 --- a//eks/latest/userguide/hybrid-nodes-creds.md +++ b//eks/latest/userguide/hybrid-nodes-creds.md @@ -21 +21,3 @@ The Hybrid Nodes IAM role must have the following permissions. - * Permissions for `nodeadm` to use the `eks:DescribeCluster` action to gather information about the cluster used for connecting hybrid nodes to the cluster. If you do not enable the `eks:DescribeCluster` action, then you must pass your Kubernetes API endpoint, cluster CA bundle, and service IPv4 CIDR in the node configuration you pass to `nodeadm` when you run `nodeadm` init. + * Permissions for `nodeadm` to use the `eks:DescribeCluster` action to gather information about the cluster to which you want to connect hybrid nodes. If you do not enable the `eks:DescribeCluster` action, then you must pass your Kubernetes API endpoint, cluster CA bundle, and service IPv4 CIDR in the node configuration you pass to the `nodeadm init` command. + + * Permissions for `nodeadm` to use the `eks:ListAccessEntries` action to list the access entries on the cluster to which you want to connect hybrid nodes. If you do not enable the `eks:ListAccessEntries` action, then you must pass the `--skip cluster-access-validation` flag when you run the `nodeadm init` command. @@ -25 +27 @@ The Hybrid Nodes IAM role must have the following permissions. - * If using AWS SSM, permissions for `nodeadm` init to use AWS SSM hybrid activations as defined in the [aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html) policy. + * If using AWS SSM, permissions for `nodeadm init` to use AWS SSM hybrid activations as defined in the [aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html) policy.