mirrors/external-dns
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/external-dns.git synced 2025-08-05 17:16:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge fb3c87e2be into 9fc01b272b

Browse Source
This commit is contained in:
crtr109 2025-08-05 14:26:57 +02:00 committed by GitHub
commit cba9b134f8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 13 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
docs/tutorials/aws.md
View File

@ -9,9 +9,6 @@ Record Sets and Hosted Zones. You'll want to create this Policy in IAM first. In
our example, we'll call the policy `AllowExternalDNSUpdates` (but you can call
it whatever you prefer).
If you prefer, you may fine-tune the policy to permit updates only to explicit
Hosted Zone IDs.
```json
{
"Version": "2012-10-17",
@ -19,7 +16,9 @@ Hosted Zone IDs.
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
"route53:ListTagsForResources"
],
"Resource": [
"arn:aws:route53:::hostedzone/*"
@ -28,9 +27,7 @@ Hosted Zone IDs.
{
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53:ListTagsForResources"
"route53:ListHostedZones"
],
"Resource": [
"*"
@ -51,7 +48,9 @@ You can use Attribute-based access control(ABAC) for advanced deployments.
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
"route53:ListTagsForResources"
],
"Resource": [
"arn:aws:route53:::hostedzone/*"
@ -67,9 +66,7 @@ You can use Attribute-based access control(ABAC) for advanced deployments.
{
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53:ListTagsForResources"
"route53:ListHostedZones"
],
"Resource": [
"*"
@ -79,6 +76,11 @@ You can use Attribute-based access control(ABAC) for advanced deployments.
}
```
### Further improvements
Both policies can be further enhanced by tightening them down following the [principle of least privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege).
Explicitly providing a list of selected zones instead of `*` you can scope the deployment down allowing changes only to zones from the list hence reducing the blast radius and improving auditability.
Additional resources:
- AWS IAM actions [documentation](https://www.awsiamactions.io/?o=route53%3A)