AWS solutions documentation change
Summary
Updated authentication method from IAM Roles for Service Accounts (IRSA) to EKS Pod Identity and clarified automatic role creation. Fixed role mapping API paths.
Security assessment
The change documents a security feature update (EKS Pod Identity) which improves authentication security by avoiding long-lived credentials. No vulnerability is mentioned; it's a feature enhancement.
Diff
diff --git a/solutions/latest/migration-assistant-for-amazon-opensearch-service/security-1.md b/solutions/latest/migration-assistant-for-amazon-opensearch-service/security-1.md index 17962417e..39eef5e29 100644 --- a//solutions/latest/migration-assistant-for-amazon-opensearch-service/security-1.md +++ b//solutions/latest/migration-assistant-for-amazon-opensearch-service/security-1.md @@ -15 +15 @@ When you build systems on AWS infrastructure, security responsibilities are shar -AWS Identity and Access Management (IAM) roles allow customers to assign granular access policies and permissions to services and users on the AWS Cloud. This solution aims to create IAM roles with least privilege where resource access is required. The Amazon EKS deployment uses [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) to associate IAM roles with the Kubernetes service accounts used by the Migration Console pod (`migration-console-access-role`) and the Argo workflow executor pods (`argo-workflow-executor`). This means the Migration Console and the migration jobs can authenticate to Amazon OpenSearch Service, Amazon OpenSearch Serverless, Amazon S3, AWS Secrets Manager, and other AWS services without long-lived credentials. +AWS Identity and Access Management (IAM) roles allow customers to assign granular access policies and permissions to services and users on the AWS Cloud. This solution aims to create IAM roles with least privilege where resource access is required. The Amazon EKS deployment uses [EKS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) to associate an IAM role with the Kubernetes service accounts used by the Migration Console pod (`migration-console-access-role`) and the Argo workflow executor pods (`argo-workflow-executor`). The IAM role is named `<eks-cluster-name>-migrations-role` and is created automatically by the CDK stack. This means the Migration Console and the migration jobs can authenticate to Amazon OpenSearch Service, Amazon OpenSearch Serverless, Amazon S3, AWS Secrets Manager, and other AWS services without long-lived credentials. @@ -27 +27 @@ Migration Assistant for Amazon OpenSearch Service allows accessing stored secret -If your Amazon OpenSearch Service domain has fine-grained access control (FGAC) enabled, the Migration Assistant IAM role must be mapped to a security role on the domain (typically `all_access` during migration, then scoped down). Authentication gets you to the domain; FGAC authorizes what you can do once you are in. Both must be in place. The role mapping API path differs by engine: Elasticsearch 7.x uses `/_opendistro/_security/api/rolesmapping/role`, and OpenSearch 1.x and later uses `/_plugins/_security/api/rolesmapping/role`. See [Troubleshooting](./troubleshooting.html) for details. +If your Amazon OpenSearch Service domain has fine-grained access control (FGAC) enabled, the Migration Assistant IAM role must be mapped to a security role on the domain (typically `all_access` during migration, then scoped down). Authentication gets you to the domain; FGAC authorizes what you can do once you are in. Both must be in place. The role mapping API path differs by engine: Elasticsearch 7.x uses `/_opendistro/_security/api/rolesmapping/<role>`, and OpenSearch 1.x and later uses `/_plugins/_security/api/rolesmapping/<role>`. See [Troubleshooting](./troubleshooting.html) for details.