AWS eks documentation change
Summary
Added requirement for AmazonS3FilesClientFullAccess policy to EKS CSI driver service accounts, updated IAM role creation commands to include the new policy
Security assessment
The change introduces a new IAM policy (AmazonS3FilesClientFullAccess) with explicit permissions (s3files:ClientMount, s3files:ClientWrite, s3files:ClientRootAccess) which documents security controls for S3 file system access. While it enhances security documentation by specifying required permissions, there's no evidence of addressing a specific vulnerability.
Diff
diff --git a/eks/latest/userguide/s3files-csi.md b/eks/latest/userguide/s3files-csi.md index c04b9fde5..a846d8959 100644 --- a//eks/latest/userguide/s3files-csi.md +++ b//eks/latest/userguide/s3files-csi.md @@ -49 +49 @@ The Amazon EFS CSI driver requires IAM permissions to interact with your file sy - * `efs-csi-controller-sa` — used by the controller, requires `AmazonS3FilesCSIDriverPolicy`. + * `efs-csi-controller-sa` — used by the controller, requires `AmazonS3FilesCSIDriverPolicy` and `AmazonS3FilesClientFullAccess`. @@ -52,0 +53,2 @@ The Amazon EFS CSI driver requires IAM permissions to interact with your file sy + * `AmazonS3FilesClientFullAccess` — grants permissions to mount and write to S3 file systems (`s3files:ClientMount`, `s3files:ClientWrite`, `s3files:ClientRootAccess`). + @@ -94 +96 @@ Run the following commands to create IAM roles and Pod Identity associations wit - --permission-policy-arns arn:aws:iam::aws:policy/service-role/AmazonS3FilesCSIDriverPolicy + --permission-policy-arns arn:aws:iam::aws:policy/service-role/AmazonS3FilesCSIDriverPolicy,arn:aws:iam::aws:policy/AmazonS3FilesClientFullAccess @@ -102 +104 @@ Run the following commands to create IAM roles and Pod Identity associations wit - --permission-policy-arns arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess,arn:aws:iam::aws:policy/AmazonElasticFileSystemsUtils + --permission-policy-arns arn:aws:iam::aws:policy/AmazonS3FilesClientFullAccess,arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess,arn:aws:iam::aws:policy/AmazonElasticFileSystemsUtils @@ -119,0 +122 @@ Run the following commands to create IAM roles with `eksctl`. Replace `my-cluste + --attach-policy-arn arn:aws:iam::aws:policy/AmazonS3FilesClientFullAccess \ @@ -129,0 +133 @@ Run the following commands to create IAM roles with `eksctl`. Replace `my-cluste + --attach-policy-arn arn:aws:iam::aws:policy/AmazonS3FilesClientFullAccess \ @@ -169,3 +173 @@ Run the following to create an IAM role with AWS Management Console. - 1. In the **Filter policies** box, enter `AmazonS3FilesCSIDriverPolicy`. - - 2. Select the check box to the left of the policy returned in the search. + 1. In the **Filter policies** box, enter `AmazonS3FilesCSIDriverPolicy`. Select the check box to the left of the policy returned in the search. Then search for and select `AmazonS3FilesClientFullAccess`. @@ -173 +175 @@ Run the following to create an IAM role with AWS Management Console. - 3. Choose **Next**. + 2. Choose **Next**. @@ -205 +207 @@ Run the following to create an IAM role with AWS Management Console. - 10. Repeat the above steps to create a second role for the node service account. On the **Add permissions** page, attach `AmazonS3ReadOnlyAccess` and `AmazonElasticFileSystemsUtils` instead. Then create a Pod Identity association with `efs-csi-node-sa` for the **Kubernetes service account** field. + 10. Repeat the above steps to create a second role for the node service account. On the **Add permissions** page, attach `AmazonS3FilesClientFullAccess`, `AmazonS3ReadOnlyAccess` and `AmazonElasticFileSystemsUtils` instead. Then create a Pod Identity association with `efs-csi-node-sa` for the **Kubernetes service account** field. @@ -223 +225 @@ Add the following line above the previous line. Replace `<region-code>` with the - 5. Repeat the above steps to create a second role for the node service account. On the **Add permissions** page, attach `AmazonS3ReadOnlyAccess` and `AmazonElasticFileSystemsUtils` instead. In the trust policy, use `efs-csi-node-sa` for the `:sub` condition value. + 5. Repeat the above steps to create a second role for the node service account. On the **Add permissions** page, attach `AmazonS3FilesClientFullAccess`, `AmazonS3ReadOnlyAccess` and `AmazonElasticFileSystemsUtils` instead. In the trust policy, use `efs-csi-node-sa` for the `:sub` condition value. @@ -263 +265 @@ Run the following commands to create IAM roles with AWS CLI. - 2. Attach the required AWS managed policy to the controller role. + 2. Attach the required AWS managed policies to the controller role. @@ -268,0 +271,4 @@ Run the following commands to create IAM roles with AWS CLI. + aws iam attach-role-policy \ + --policy-arn arn:aws:iam::aws:policy/AmazonS3FilesClientFullAccess \ + --role-name $controller_role_name + @@ -277,0 +284,4 @@ Run the following commands to create IAM roles with AWS CLI. + aws iam attach-role-policy \ + --policy-arn arn:aws:iam::aws:policy/AmazonS3FilesClientFullAccess \ + --role-name $node_role_name + @@ -339 +349 @@ If the output from the command is `None`, review the **Prerequisites**. - 3. Attach the required AWS managed policy to the controller role. + 3. Attach the required AWS managed policies to the controller role. @@ -344,0 +355,4 @@ If the output from the command is `None`, review the **Prerequisites**. + aws iam attach-role-policy \ + --policy-arn arn:aws:iam::aws:policy/AmazonS3FilesClientFullAccess \ + --role-name $controller_role_name + @@ -376,0 +391,4 @@ If the output from the command is `None`, review the **Prerequisites**. + aws iam attach-role-policy \ + --policy-arn arn:aws:iam::aws:policy/AmazonS3FilesClientFullAccess \ + --role-name $node_role_name +