AWS Security ChangesHomeSearch

AWS eks documentation change

Service: eks · 2026-06-16 · Documentation low

File: eks/latest/userguide/s3files-csi.md

Summary

Added requirement for AmazonS3FilesClientFullAccess policy to EKS CSI driver service accounts, updated IAM role creation commands to include the new policy

Security assessment

The change introduces a new IAM policy (AmazonS3FilesClientFullAccess) with explicit permissions (s3files:ClientMount, s3files:ClientWrite, s3files:ClientRootAccess) which documents security controls for S3 file system access. While it enhances security documentation by specifying required permissions, there's no evidence of addressing a specific vulnerability.

Diff

diff --git a/eks/latest/userguide/s3files-csi.md b/eks/latest/userguide/s3files-csi.md
index c04b9fde5..a846d8959 100644
--- a//eks/latest/userguide/s3files-csi.md
+++ b//eks/latest/userguide/s3files-csi.md
@@ -49 +49 @@ The Amazon EFS CSI driver requires IAM permissions to interact with your file sy
-  * `efs-csi-controller-sa` — used by the controller, requires `AmazonS3FilesCSIDriverPolicy`.
+  * `efs-csi-controller-sa` — used by the controller, requires `AmazonS3FilesCSIDriverPolicy` and `AmazonS3FilesClientFullAccess`.
@@ -52,0 +53,2 @@ The Amazon EFS CSI driver requires IAM permissions to interact with your file sy
+    * `AmazonS3FilesClientFullAccess` — grants permissions to mount and write to S3 file systems (`s3files:ClientMount`, `s3files:ClientWrite`, `s3files:ClientRootAccess`).
+
@@ -94 +96 @@ Run the following commands to create IAM roles and Pod Identity associations wit
-        --permission-policy-arns arn:aws:iam::aws:policy/service-role/AmazonS3FilesCSIDriverPolicy
+        --permission-policy-arns arn:aws:iam::aws:policy/service-role/AmazonS3FilesCSIDriverPolicy,arn:aws:iam::aws:policy/AmazonS3FilesClientFullAccess
@@ -102 +104 @@ Run the following commands to create IAM roles and Pod Identity associations wit
-        --permission-policy-arns arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess,arn:aws:iam::aws:policy/AmazonElasticFileSystemsUtils
+        --permission-policy-arns arn:aws:iam::aws:policy/AmazonS3FilesClientFullAccess,arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess,arn:aws:iam::aws:policy/AmazonElasticFileSystemsUtils
@@ -119,0 +122 @@ Run the following commands to create IAM roles with `eksctl`. Replace `my-cluste
+        --attach-policy-arn arn:aws:iam::aws:policy/AmazonS3FilesClientFullAccess \
@@ -129,0 +133 @@ Run the following commands to create IAM roles with `eksctl`. Replace `my-cluste
+        --attach-policy-arn arn:aws:iam::aws:policy/AmazonS3FilesClientFullAccess \
@@ -169,3 +173 @@ Run the following to create an IAM role with AWS Management Console.
-    1. In the **Filter policies** box, enter `AmazonS3FilesCSIDriverPolicy`.
-
-    2. Select the check box to the left of the policy returned in the search.
+    1. In the **Filter policies** box, enter `AmazonS3FilesCSIDriverPolicy`. Select the check box to the left of the policy returned in the search. Then search for and select `AmazonS3FilesClientFullAccess`.
@@ -173 +175 @@ Run the following to create an IAM role with AWS Management Console.
-    3. Choose **Next**.
+    2. Choose **Next**.
@@ -205 +207 @@ Run the following to create an IAM role with AWS Management Console.
-      10. Repeat the above steps to create a second role for the node service account. On the **Add permissions** page, attach `AmazonS3ReadOnlyAccess` and `AmazonElasticFileSystemsUtils` instead. Then create a Pod Identity association with `efs-csi-node-sa` for the **Kubernetes service account** field.
+      10. Repeat the above steps to create a second role for the node service account. On the **Add permissions** page, attach `AmazonS3FilesClientFullAccess`, `AmazonS3ReadOnlyAccess` and `AmazonElasticFileSystemsUtils` instead. Then create a Pod Identity association with `efs-csi-node-sa` for the **Kubernetes service account** field.
@@ -223 +225 @@ Add the following line above the previous line. Replace `<region-code>` with the
-      5. Repeat the above steps to create a second role for the node service account. On the **Add permissions** page, attach `AmazonS3ReadOnlyAccess` and `AmazonElasticFileSystemsUtils` instead. In the trust policy, use `efs-csi-node-sa` for the `:sub` condition value.
+      5. Repeat the above steps to create a second role for the node service account. On the **Add permissions** page, attach `AmazonS3FilesClientFullAccess`, `AmazonS3ReadOnlyAccess` and `AmazonElasticFileSystemsUtils` instead. In the trust policy, use `efs-csi-node-sa` for the `:sub` condition value.
@@ -263 +265 @@ Run the following commands to create IAM roles with AWS CLI.
-  2. Attach the required AWS managed policy to the controller role.
+  2. Attach the required AWS managed policies to the controller role.
@@ -268,0 +271,4 @@ Run the following commands to create IAM roles with AWS CLI.
+    aws iam attach-role-policy \
+      --policy-arn arn:aws:iam::aws:policy/AmazonS3FilesClientFullAccess \
+      --role-name $controller_role_name
+
@@ -277,0 +284,4 @@ Run the following commands to create IAM roles with AWS CLI.
+        aws iam attach-role-policy \
+      --policy-arn arn:aws:iam::aws:policy/AmazonS3FilesClientFullAccess \
+      --role-name $node_role_name
+    
@@ -339 +349 @@ If the output from the command is `None`, review the **Prerequisites**.
-  3. Attach the required AWS managed policy to the controller role.
+  3. Attach the required AWS managed policies to the controller role.
@@ -344,0 +355,4 @@ If the output from the command is `None`, review the **Prerequisites**.
+    aws iam attach-role-policy \
+      --policy-arn arn:aws:iam::aws:policy/AmazonS3FilesClientFullAccess \
+      --role-name $controller_role_name
+
@@ -376,0 +391,4 @@ If the output from the command is `None`, review the **Prerequisites**.
+        aws iam attach-role-policy \
+      --policy-arn arn:aws:iam::aws:policy/AmazonS3FilesClientFullAccess \
+      --role-name $node_role_name
+