Provide CloudWatch query to help customer identify clients sending re… #614
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…quests to global STS endpoint
kmala
reviewed
Dec 16, 2024
content/security/docs/iam.md
Outdated
|
|
||
| ### CloudWatch query to help users identify clients sending requests to global STS endpoint | ||
|
|
||
| Run CloudWatch query below to get ste endpoint. Run this If stsendpoint equals to "sts.amazonaws.com", then it is a global STS endpoint. |
…quests to global STS endpoint
kmala
previously approved these changes
Dec 16, 2024
content/security/docs/iam.md
Outdated
| If you're migrating an application from another AWS compute service, such as EC2, to EKS with IRSA, this is a particularly important detail. On other compute services initializing an AWS SDK session does not call AWS STS unless you instruct it to. | ||
|
|
||
|
|
There was a problem hiding this comment.
Can we add some wording around whats the recommendation, regional vs gloabl STS endpoint and place this part under this section Controlling Access to EKS Clusters.
Also, seems like the command mentioned in this section Controlling Access to EKS Clusters is missing the --region flag, we should update the sample command and the output from this command.
…quests to global STS endpoint
|
Hi we've migrated from markdown to asciidoc (official docs format for AWS). Please make the respective changes to the files in the folder: latest/bpg |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Provide CloudWatch query to help customer identify clients sending requests to global STS endpoint
Issue #, if available:
Description of changes:
Test on beta CO accounts. Got STS endpoint from authenticator logs:
time="2024-11-30T12:06:40Z" level=info msg="STS response" accesskeyid=ASIAABCDEFGGH accountid=123456789012 arn="arn:aws:sts::123456789012:assumed-role/AWSWesleyClusterManagerLambda-Add-AddonManagerRole-JOPQTE96H0BA/EKSClusterInsightsAuth" client="127.0.0.1:55380" method=POST path=/authenticate session=EKSClusterInsightsAuth stsendpoint=sts.us-west-2.amazonaws.com userid=AROACSJHFKKHJAHSJX
checkeded with global STS endpoint:
time="2024-12-06T11:46:59Z" level=info msg="STS response" accesskeyid=ASIAABCDEFGGH accountid=123456789012 arn="arn:aws:sts::123456789012:assumed-role/AmazonEKSClusterInsightsViewOnlyRole/EKSClusterInsightsAuth" client="127.0.0.1:60480" method=POST path=/authenticate session=EKSClusterInsightsAuth stsendpoint=sts.amazonaws.com userid=AROACSJHFKKHJAHSJX
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.