AWS eks documentation change
Summary
Added explicit IAM policy JSON examples for the eksctl managed policy and the IAM policy required for eksctl, replacing placeholder error messages.
Security assessment
The change adds detailed IAM policy documentation, which is security-related as it defines permissions and access controls. However, there is no evidence this change addresses a specific, disclosed security vulnerability or incident; it appears to be a routine documentation improvement to clarify required permissions.
Diff
diff --git a/eks/latest/eksctl/minimum-iam-policies.md b/eks/latest/eksctl/minimum-iam-policies.md index 8e2288545..17590328e 100644 --- a//eks/latest/eksctl/minimum-iam-policies.md +++ b//eks/latest/eksctl/minimum-iam-policies.md @@ -28 +28,36 @@ An AWS Managed Policy is created and administered by AWS. You cannot change the - # Error: No files found with UUID: 27ad3ff9-60be-4128-8b83-f8833a6e39aa + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "eks:*", + "Resource": "*" + }, + { + "Action": [ + "ssm:GetParameter", + "ssm:GetParameters" + ], + "Resource": [ + "arn:aws:ssm:*:123456789012:parameter/aws/*", + "arn:aws:ssm:*::parameter/aws/*" + ], + "Effect": "Allow" + }, + { + "Action": [ + "kms:CreateGrant", + "kms:DescribeKey" + ], + "Resource": "*", + "Effect": "Allow" + }, + { + "Action": [ + "logs:PutRetentionPolicy" + ], + "Resource": "*", + "Effect": "Allow" + } + ] + } @@ -33 +68,72 @@ An AWS Managed Policy is created and administered by AWS. You cannot change the - # Error: No files found with UUID: 5500eeb9-bf3d-498d-999b-7f8036e705a5 + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "iam:CreateInstanceProfile", + "iam:DeleteInstanceProfile", + "iam:GetInstanceProfile", + "iam:RemoveRoleFromInstanceProfile", + "iam:GetRole", + "iam:CreateRole", + "iam:DeleteRole", + "iam:AttachRolePolicy", + "iam:PutRolePolicy", + "iam:UpdateAssumeRolePolicy", + "iam:AddRoleToInstanceProfile", + "iam:ListInstanceProfilesForRole", + "iam:PassRole", + "iam:DetachRolePolicy", + "iam:DeleteRolePolicy", + "iam:GetRolePolicy", + "iam:GetOpenIDConnectProvider", + "iam:CreateOpenIDConnectProvider", + "iam:DeleteOpenIDConnectProvider", + "iam:TagOpenIDConnectProvider", + "iam:ListAttachedRolePolicies", + "iam:TagRole", + "iam:UntagRole", + "iam:GetPolicy", + "iam:CreatePolicy", + "iam:DeletePolicy", + "iam:ListPolicyVersions" + ], + "Resource": [ + "arn:aws:iam::123456789012:instance-profile/eksctl-*", + "arn:aws:iam::123456789012:role/eksctl-*", + "arn:aws:iam::123456789012:policy/eksctl-*", + "arn:aws:iam::123456789012:oidc-provider/*", + "arn:aws:iam::123456789012:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup", + "arn:aws:iam::123456789012:role/eksctl-managed-*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "iam:GetRole", + "iam:GetUser" + ], + "Resource": [ + "arn:aws:iam::123456789012:role/*", + "arn:aws:iam::123456789012:user/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "iam:CreateServiceLinkedRole" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": [ + "eks.amazonaws.com", + "eks-nodegroup.amazonaws.com", + "eks-fargate.amazonaws.com" + ] + } + } + } + ] + }