AWS Security ChangesHomeSearch

AWS eks documentation change

Service: eks · 2026-01-10 · Documentation low

File: eks/latest/userguide/argocd-considerations.md

Summary

Updated Argo CD documentation with IAM policy changes, security best practices, and clarifications. Key changes include replacing custom Secrets Manager policy with AWS managed policy, adding RBAC/access control notes, simplifying webhook URL instructions, and refining terminology.

Security assessment

The change replaces a custom IAM policy (with narrow resource restrictions) with the broader 'AWSSecretsManagerClientReadOnlyAccess' managed policy, which could potentially increase over-permissioning risks. However, it explicitly adds new security guidance about configuring repository access controls and RBAC policies. The removal of SSO recommendation doesn't indicate a security issue resolution but rather content reorganization. No evidence exists of addressing a specific vulnerability.

Diff

diff --git a/eks/latest/userguide/argocd-considerations.md b/eks/latest/userguide/argocd-considerations.md
index 9432d5937..15cf6115c 100644
--- a//eks/latest/userguide/argocd-considerations.md
+++ b//eks/latest/userguide/argocd-considerations.md
@@ -21,2 +20,0 @@ Before deploying Argo CD, consider the following:
-**Authentication method** : Decide whether to use AWS Identity Center for SSO or manage Argo CD users directly. SSO is recommended for production environments.
-
@@ -37 +35 @@ For detailed information about IAM Capability Roles, trust policies, and securit
-When you create an Argo CD capability resource, you provide an IAM Capability Role. Unlike ACK, Argo CD primarily manages Kubernetes resources, not AWS resources directly. However, the IAM role is required for:
+When you create an Argo CD capability resource, you provide an IAM Capability Role. Unlike ACK, Argo CD primarily manages Kubernetes resources, not AWS resources directly. However, the IAM Capability Role is required for:
@@ -77 +75 @@ Example:
-This limits Argo CD’s access to only the repositories it needs to manage.
+This limits the Argo CD capability’s access to only the repositories it needs to manage.
@@ -81 +79 @@ This limits Argo CD’s access to only the repositories it needs to manage.
-If you’re storing repository credentials in Secrets Manager, attach a policy with read permissions:
+If you’re storing repository credentials in Secrets Manager, attach the managed policy for read access:
@@ -84,13 +82,3 @@ If you’re storing repository credentials in Secrets Manager, attach a policy w
-    {
-      "Version": "2012-10-17",		 	 	 
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Action": [
-            "secretsmanager:GetSecretValue",
-            "secretsmanager:DescribeSecret"
-          ],
-          "Resource": "arn:aws:secretsmanager:*:*:secret:argocd/*"
-        }
-      ]
-    }
+    arn:aws:iam::aws:policy/AWSSecretsManagerClientReadOnlyAccess
+
+This policy includes the necessary permissions: `secretsmanager:GetSecretValue`, `secretsmanager:DescribeSecret`, and KMS decrypt permissions.
@@ -163 +151 @@ When you register additional clusters with Argo CD:
-  3. Argo CD connects to each cluster to deploy applications and watch resources
+  3. Argo CD connects to each cluster to deploy and watch resources
@@ -239 +227 @@ For production use, consider using more restrictive Kubernetes groups instead of
-The Argo CD managed capability can deploy to fully private EKS clusters without requiring VPC peering or specialized networking configuration. AWS manages connectivity between the Argo CD capability and private remote clusters automatically.
+The Argo CD managed capability can deploy to fully private EKS clusters without requiring VPC peering or specialized networking configuration. AWS manages connectivity between the Argo CD capability and private remote clusters automatically. Ensure your repository access controls and Argo CD RBAC policies are properly configured.
@@ -260 +248 @@ No additional IAM role creation or trust policy configuration is required—EKS
-**Use declarative sources as the source of truth** : Store all your application manifests in Git repositories, Helm registries, or OCI images, enabling version control, audit trails, and collaboration.
+**Use declarative sources as the source of truth** : Store all your application manifests in declarative sources (Git repositories, Helm registries, or OCI images), enabling version control, audit trails, and collaboration.
@@ -307 +295 @@ Configure sync windows to control when applications can be synced:
-  * Use sync windows for break-glass scenarios where you need to temporarily stop all syncs
+  * Use sync windows in situations where you need to make changes and stop any syncs (break-glass scenarios)
@@ -331 +319 @@ Webhooks provide several benefits:
-The Argo CD capability provides a webhook endpoint for receiving Git notifications. Find the webhook URL in the EKS console under your cluster’s Capabilities tab, or retrieve it using the AWS CLI:
+The webhook URL follows the pattern `${serverUrl}/api/webhook`, where `serverUrl` is your Argo CD server URL.
@@ -332,0 +321 @@ The Argo CD capability provides a webhook endpoint for receiving Git notificatio
+For example, if your Argo CD server URL is ` [https://abc123.eks-capabilities.us-west-2.amazonaws.com](https://abc123.eks-capabilities.us-west-2.amazonaws.com) `, the webhook URL is:
@@ -334,6 +322,0 @@ The Argo CD capability provides a webhook endpoint for receiving Git notificatio
-    aws eks describe-capability \
-      --cluster-name my-cluster \
-      --capability-name my-argocd \
-      --query 'capability.configuration.argoCd.webhookUrl' \
-      --output text \
-      --region region-code
@@ -340,0 +324 @@ The Argo CD capability provides a webhook endpoint for receiving Git notificatio
+    https://abc123.eks-capabilities.us-west-2.amazonaws.com/api/webhook