provide scoped down IAM permissions example (kubernetes-sigs#2283)

kishorj · Timothy-Dougherty · commit a8d895646faf · 2023-11-09T11:29:06.000+11:00
* provide reference to scope down IAM permissions

* scope down iam:CreateServiceLinkedRole permission
diff --git a/docs/deploy/installation.md b/docs/deploy/installation.md
@@ -34,6 +34,37 @@ If you are using the IMDSv2 you must set the hop limit to 2 or higher in order t
 The controller runs on the worker nodes, so it needs access to the AWS ALB/NLB resources via IAM permissions. 
 The IAM permissions can either be setup via IAM roles for ServiceAccount or can be attached directly to the worker node IAM roles.
 
+!!!warning "Permissions with the least privileges"
+    The reference IAM policies contain the following permissive configuration:
+    ```
+    {
+        "Effect": "Allow",
+        "Action": [
+            "ec2:AuthorizeSecurityGroupIngress",
+            "ec2:RevokeSecurityGroupIngress"
+        ],
+        "Resource": "*"
+    },
+    ```
+    We recommend to further scope down this configuration based on the VPC ID. Replace REGION, ACCOUNT and VPC-ID with appropriate values
+    and add it to the above IAM permissions.
+    ```
+        "Condition": {
+           "ArnEquals": {
+                "ec2:Vpc": "arn:aws:ec2:REGION:ACCOUNT:vpc/VPC-ID"
+            }
+        }
+    ```
+    OR restrict access to security groups tagged for the particular k8s cluster. Replace CLUSTER-ID with your k8s cluster id and add it to
+    the above IAM permissions.
+    ```
+        "Condition": {
+            "Null": {
+                "aws:ResourceTag/kubernetes.io/cluster/CLUSTER-ID": "false"
+            }
+        }
+    ```
+
 1. Create IAM OIDC provider
     ```
     eksctl utils associate-iam-oidc-provider \
diff --git a/docs/install/iam_policy.json b/docs/install/iam_policy.json
@@ -1,10 +1,19 @@
 {
     "Version": "2012-10-17",
     "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "iam:CreateServiceLinkedRole",
+            "Resource": "*",
+            "Condition": {
+                "StringEquals": {
+                    "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
+                }
+            }
+        },
         {
             "Effect": "Allow",
             "Action": [
-                "iam:CreateServiceLinkedRole",
                 "ec2:DescribeAccountAttributes",
                 "ec2:DescribeAddresses",
                 "ec2:DescribeAvailabilityZones",
diff --git a/docs/install/iam_policy_cn.json b/docs/install/iam_policy_cn.json
@@ -1,10 +1,19 @@
 {
     "Version": "2012-10-17",
     "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "iam:CreateServiceLinkedRole",
+            "Resource": "*",
+            "Condition": {
+                "StringEquals": {
+                    "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
+                }
+            }
+        },
         {
             "Effect": "Allow",
             "Action": [
-                "iam:CreateServiceLinkedRole",
                 "ec2:DescribeAccountAttributes",
                 "ec2:DescribeAddresses",
                 "ec2:DescribeAvailabilityZones",
diff --git a/docs/install/iam_policy_us-gov.json b/docs/install/iam_policy_us-gov.json
@@ -1,10 +1,19 @@
 {
     "Version": "2012-10-17",
     "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "iam:CreateServiceLinkedRole",
+            "Resource": "*",
+            "Condition": {
+                "StringEquals": {
+                    "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
+                }
+            }
+        },
         {
             "Effect": "Allow",
             "Action": [
-                "iam:CreateServiceLinkedRole",
                 "ec2:DescribeAccountAttributes",
                 "ec2:DescribeAddresses",
                 "ec2:DescribeAvailabilityZones",
