add cross-service-confused-deputy-prevention.adoc

fincd-aws · fincd-aws · commit 9fedf66b85d8 · 2025-08-19T15:41:53.000-07:00
diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc
@@ -19,6 +19,14 @@ https://docs.aws.amazon.com/eks/latest/userguide/doc-history.rss
 [.updates]
 == Updates
 
+[.update,date="2025-08-19"]
+=== Cross-service confused deputy prevention
+[.update-ulink]
+link:eks/latest/userguide/cross-service-confused-deputy-prevention.html[type="documentation"]
+
+Added a topic with an example trust policy that you can apply for Cross-service confused deputy prevention.
+Amazon EKS accepts the `aws:SourceArn` and `aws:SourceAccount` conditions in the trust policy of an EKS cluster role.
+
 [.update,date="2025-07-30"]
 === Amazon EKS platform version update
 [.update-ulink]
diff --git a/latest/ug/security/cross-service-confused-deputy-prevention.adoc b/latest/ug/security/cross-service-confused-deputy-prevention.adoc
@@ -0,0 +1,60 @@
+include::../attributes.txt[]
+
+[.topic]
+[#cross-service-confused-deputy-prevention]
+= Cross-service confused deputy prevention in Amazon EKS
+:info_titleabbrev: Cross-service confused deputy prevention
+
+The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. In {aws}, cross-service impersonation can result in the confused deputy problem. Cross-service impersonation can occur when one service (the <emphasis>calling service</emphasis>) calls another service (the <emphasis>called service</emphasis>). The calling service can be manipulated to use its permissions to act on another customer's resources in a way it should not otherwise have permission to access. To prevent this, {aws} provides tools that help you protect your data for all services with service principals that have been given access to resources in your account.
+
+We recommend using the link:IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn[`aws:SourceArn`, type="documentation"], link:IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount[`aws:SourceAccount`, type="documentation"] global condition context keys in resource policies to limit the permissions that Amazon Elastic Kubernetes Service (Amazon EKS) gives another service to the resource.
+
+`aws:SourceArn`::
+Use `aws:SourceArn` to associate only one resource with cross-service access.
+
+`aws:SourceAccount`::
+Use `aws:SourceAccount` to let any resource in that account be associated with the cross-service use.
+
+The most effective way to protect against the confused deputy problem is to use the `aws:SourceArn` global condition context key with the full ARN of the resource. If you don't know the full ARN of the resource or if you are specifying multiple resources, use the `aws:SourceArn` global context condition key with wildcard characters (`*`) for the unknown portions of the ARN. For example, `{arn-aws}[.replaceable]``servicename``:*:[.replaceable]``123456789012``:*`.
+
+If the `aws:SourceArn` value does not contain the account ID, such as an Amazon S3 bucket ARN, you must use both `aws:SourceAccount` and `aws:SourceArn` to limit permissions.
+
+[#cross-service-confused-deputy-cluster-role]
+== Amazon EKS cluster role cross-service confused deputy prevention
+:info_titleabbrev: Amazon EKS cluster role
+
+An Amazon EKS cluster IAM role is required for each cluster. Kubernetes clusters managed by Amazon EKS use this role to manage nodes and the link:https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] uses this role to create load balancers with Elastic Load Balancing for services.
+These cluster actions can only affect the same account, so we recommend that you limit each cluster role to that cluster and account.
+This is a specific application of the {aws} recommendation to follow the _principle of least privilege_ in your account.
+
+*Source ARN format*
+
+The value of `aws:SourceArn` must be the ARN of an EKS cluster in the format `{arn-aws}:eks:[.replacable]``region``:[.replacable]``account``:cluster/[.replacable]``cluster-name```. For example, `{arn-aws}:eks:us-east-1:123456789012:cluster/my-cluster` .
+
+*Trust policy format for EKS cluster roles*
+
+The following example shows how you can use the `aws:SourceArn` and `aws:SourceAccount` global condition context keys in Amazon EKS to prevent the confused deputy problem.
+
+[source,json,subs="verbatim,attributes,quotes"]
+----
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "eks.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {
+        "ArnLike": {
+          "aws:SourceArn": "{arn-aws}:eks:[.replaceable]`us-west-2`:[.replaceable]`123456789012`:cluster/[.replaceable]`my-cluster`"
+          },
+        "StringEquals": {
+            "aws:SourceAccount": "123456789012"
+        }
+      }
+    }
+  ]
+}
+----
diff --git a/latest/ug/security/security-eks.adoc b/latest/ug/security/security-eks.adoc
@@ -19,3 +19,4 @@ include::infrastructure-security.adoc[leveloffset=+1]
 
 include::disaster-recovery-resiliency.adoc[leveloffset=+1]
 
+include::cross-service-confused-deputy-prevention.adoc[leveloffset=+1]

Original file line number	Diff line number	Diff line change
`@@ -19,3 +19,4 @@ include::infrastructure-security.adoc[leveloffset=+1]`
`19`	`19`
`20`	`20`	`include::disaster-recovery-resiliency.adoc[leveloffset=+1]`
`21`	`21`
	`22`	`+include::cross-service-confused-deputy-prevention.adoc[leveloffset=+1]`