AWS Security ChangesHomeSearch

AWS resilience-hub medium security documentation change

Service: resilience-hub · 2026-06-04 · Security-related medium

File: resilience-hub/latest/userguide/next-gen-iam-permissions.md

Summary

Added support for EKS access entries as recommended method for IAM role mapping, alongside existing aws-auth ConfigMap approach.

Security assessment

Introduces more secure Kubernetes authentication method (access entries) that reduces dependency on ConfigMaps, which could be misconfigured. This addresses potential privilege escalation risks in EKS cluster access configuration.

Diff

diff --git a/resilience-hub/latest/userguide/next-gen-iam-permissions.md b/resilience-hub/latest/userguide/next-gen-iam-permissions.md
index 3fbfe8e81..85f0d170d 100644
--- a//resilience-hub/latest/userguide/next-gen-iam-permissions.md
+++ b//resilience-hub/latest/userguide/next-gen-iam-permissions.md
@@ -146 +146 @@ This grants Next generation Resilience Hub read-only access to the Kubernetes re
-**Step 2: Map the ResilienceHubRole to the Kubernetes group in aws-auth**
+**Step 2: Map the IAM role to the Kubernetes group**
@@ -148 +148,17 @@ This grants Next generation Resilience Hub read-only access to the Kubernetes re
-Edit the aws-auth ConfigMap to map the IAM role you have created to the `resilience-hub-eks-access-group`:
+Map the IAM role you created to the `resilience-hub-eks-access-group` Kubernetes group. You can use either Amazon EKS access entries (recommended) or the `aws-auth` ConfigMap.
+
+**Option A: Using EKS access entries (recommended)**
+
+EKS access entries are the preferred method for managing cluster authentication. Your cluster must use `API` or `API_AND_CONFIG_MAP` authentication mode.
+    
+    
+    aws eks create-access-entry \
+      --cluster-name cluster-name \
+      --principal-arn arn:aws:iam::ACCOUNT-ID:role/ResilienceHubRole \
+      --type STANDARD \
+      --kubernetes-groups '["resilience-hub-eks-access-group"]'
+      
+
+**Option B: Using aws-auth ConfigMap**
+
+If your cluster uses `CONFIG_MAP` or `API_AND_CONFIG_MAP` authentication mode, you can edit the aws-auth ConfigMap instead:
@@ -182,0 +199,13 @@ Confirm the RBAC resources exist and the role mapping is in place:
+      
+
+If using access entries (Option A):
+    
+    
+    aws eks describe-access-entry \
+      --cluster-name cluster-name \
+      --principal-arn arn:aws:iam::ACCOUNT-ID:role/ResilienceHubRole
+      
+
+If using aws-auth ConfigMap (Option B):
+    
+