search

aws-ia / terraform-aws-eks-blueprints-addons

Terraform module which provisions addons on Amazon EKS clusters
https://aws-ia.github.io/terraform-aws-eks-blueprints-addons/main/
Apache License 2.0
272 stars 127 forks source link

Is there a reason AWS Gateway API Controller has unbounded IAM permission to vpc-lattice? #401

Closed cls-aws closed 4 months ago

cls-aws commented 5 months ago

Please describe your question here

The AWS Gateway API Controller has vpc-lattice:* permission which gives it the ability to modify lattice control plane and configurations outside of this solution. Can it be scoped down?

https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/blob/main/main.tf#L3583

It can also create any IAM service-linked role it wants but this is less of a risk than the vpc-lattice permissions. https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/blob/main/main.tf#L3584

bryantbiggs commented 4 months ago

It matches what the gateway controller policy recommends https://github.com/aws/aws-application-networking-k8s/blob/15d0899bb4ccaf4327ab3cac68d058d7d159b39e/config/iam/recommended-inline-policy.json#L7