AWS Security ChangesHomeSearch

AWS rtb-fabric medium security documentation change

Service: rtb-fabric · 2026-05-16 · Security-related medium

File: rtb-fabric/latest/userguide/managed-endpoints.md

Summary

Added requirement for ASG hosts to only be IN_USE when available and expanded EKS RBAC setup instructions with access entries method

Security assessment

The change explicitly requires that only healthy hosts be marked IN_USE in ASGs, preventing potential traffic routing to compromised or unhealthy instances. This addresses security through availability controls and proper access configuration. Added EKS access entries method improves security over legacy ConfigMap approach.

Diff

diff --git a/rtb-fabric/latest/userguide/managed-endpoints.md b/rtb-fabric/latest/userguide/managed-endpoints.md
index 4a3177551..fc1a916e1 100644
--- a//rtb-fabric/latest/userguide/managed-endpoints.md
+++ b//rtb-fabric/latest/userguide/managed-endpoints.md
@@ -130 +130 @@ The role must also allow the following permissions in its permissions policies:
-You can enable application-level health checks to automatically route traffic only to healthy instances in your Auto Scaling groups. For more information, see [Health checks for Managed Endpoints](./health-checks-for-managed-endpoints.html). 
+For RTB Fabric to appropriately route traffic to healthy hosts, the provided ASG must **only** have hosts listed as IN_USE if they are available to take traffic. Ensure that hosts which are unhealthy, inactive, or running other services are not set as IN_USE in the provided ASG. You can enable application-level health checks to automatically route traffic only to healthy instances in your Auto Scaling groups. For more information, see [Health checks for Managed Endpoints](./health-checks-for-managed-endpoints.html). 
@@ -160 +160 @@ The IAM role must allow the services `rtbfabric.amazonaws.com` and `rtbfabric-en
-The role does not need to have any IAM policies attached to it, but must be associated with EKS cluster's RBAC to authorize RTB Fabric to discover IP targets in the cluster:
+The role does not need to have any IAM policies attached to it, but must be associated with your EKS cluster's RBAC to authorize RTB Fabric to discover IP targets in the cluster. First, create the Kubernetes Role and RoleBinding:
@@ -187,0 +188,20 @@ The role does not need to have any IAM policies attached to it, but must be asso
+
+Then, map the IAM role to the Kubernetes user using one of the following methods:
+
+**Option 1: EKS access entries (recommended)**
+
+For EKS clusters running Kubernetes 1.23 or later, use the EKS access entry API to map the IAM role. This is the recommended approach and is the default authentication mode for new EKS clusters.
+    
+    
+    $ aws eks create-access-entry \
+    --cluster-name my-cluster \
+    --principal-arn arn:aws:iam::242201309515:role/RtbFabricRoleForEksEndpointsManagedEndpoint \
+    --kubernetes-user rtbfabric-integration
+
+**Option 2: aws-auth ConfigMap (legacy)**
+
+###### Note
+
+The `aws-auth` ConfigMap method is deprecated for EKS clusters that use the EKS API authentication mode (which is the default for new clusters). If your cluster uses the `CONFIG_MAP` or `API_AND_CONFIG_MAP` authentication mode, you can still use this method. For more information, see [EKS access entries](https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html) in the _Amazon EKS User Guide_.
+    
+