AWS resilience-hub medium security documentation change
Summary
Added support for EKS access entries as recommended method for IAM role mapping, alongside existing aws-auth ConfigMap approach.
Security assessment
Mirrors the security improvement from the permissions guide by promoting access entries for secure role mapping. This provides consistent security guidance across documentation and addresses same potential misconfiguration risks.
Diff
diff --git a/resilience-hub/latest/userguide/next-gen-iam-reference.md b/resilience-hub/latest/userguide/next-gen-iam-reference.md index 24b45e69e..b240da3ea 100644 --- a//resilience-hub/latest/userguide/next-gen-iam-reference.md +++ b//resilience-hub/latest/userguide/next-gen-iam-reference.md @@ -146 +146 @@ This grants Next generation Resilience Hub read-only access to the Kubernetes re -**Step 2: Map the ResilienceHubRole to the Kubernetes group in aws-auth** +**Step 2: Map the IAM role to the Kubernetes group** @@ -148 +148,17 @@ This grants Next generation Resilience Hub read-only access to the Kubernetes re -Edit the aws-auth ConfigMap to map the IAM role you have created to the `resilience-hub-eks-access-group`: +Map the IAM role you created to the `resilience-hub-eks-access-group` Kubernetes group. You can use either Amazon EKS access entries (recommended) or the `aws-auth` ConfigMap. + +**Option A: Using EKS access entries (recommended)** + +EKS access entries are the preferred method for managing cluster authentication. Your cluster must use `API` or `API_AND_CONFIG_MAP` authentication mode. + + + aws eks create-access-entry \ + --cluster-name cluster-name \ + --principal-arn arn:aws:iam::ACCOUNT-ID:role/ResilienceHubRole \ + --type STANDARD \ + --kubernetes-groups '["resilience-hub-eks-access-group"]' + + +**Option B: Using aws-auth ConfigMap** + +If your cluster uses `CONFIG_MAP` or `API_AND_CONFIG_MAP` authentication mode, you can edit the aws-auth ConfigMap instead: @@ -182,0 +199,13 @@ Confirm the RBAC resources exist and the role mapping is in place: + + +If using access entries (Option A): + + + aws eks describe-access-entry \ + --cluster-name cluster-name \ + --principal-arn arn:aws:iam::ACCOUNT-ID:role/ResilienceHubRole + + +If using aws-auth ConfigMap (Option B): + +