mirrors/external-dns
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/external-dns.git synced 2025-08-06 09:36:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge fb3c87e2be into 9fc01b272b

Browse Source
This commit is contained in:
crtr109 2025-08-05 14:26:57 +02:00 committed by GitHub
commit cba9b134f8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 13 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
docs/tutorials/aws.md
View File

@ -9,9 +9,6 @@ Record Sets and Hosted Zones. You'll want to create this Policy in IAM first. In
our example, we'll call the policy `AllowExternalDNSUpdates` (but you can call our example, we'll call the policy `AllowExternalDNSUpdates` (but you can call
it whatever you prefer). it whatever you prefer).
If you prefer, you may fine-tune the policy to permit updates only to explicit
Hosted Zone IDs.
```json ```json
{ {
"Version": "2012-10-17", "Version": "2012-10-17",
@ -19,7 +16,9 @@ Hosted Zone IDs.
{ {
"Effect": "Allow", "Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets" "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
"route53:ListTagsForResources"
], ],
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/*" "arn:aws:route53:::hostedzone/*"
@ -28,9 +27,7 @@ Hosted Zone IDs.
{ {
"Effect": "Allow", "Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones", "route53:ListHostedZones"
"route53:ListResourceRecordSets",
"route53:ListTagsForResources"
], ],
"Resource": [ "Resource": [
"*" "*"
@ -51,7 +48,9 @@ You can use Attribute-based access control(ABAC) for advanced deployments.
{ {
"Effect": "Allow", "Effect": "Allow",
"Action": [ "Action": [
"route53:ChangeResourceRecordSets" "route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
"route53:ListTagsForResources"
], ],
"Resource": [ "Resource": [
"arn:aws:route53:::hostedzone/*" "arn:aws:route53:::hostedzone/*"
@ -67,9 +66,7 @@ You can use Attribute-based access control(ABAC) for advanced deployments.
{ {
"Effect": "Allow", "Effect": "Allow",
"Action": [ "Action": [
"route53:ListHostedZones", "route53:ListHostedZones"
"route53:ListResourceRecordSets",
"route53:ListTagsForResources"
], ],
"Resource": [ "Resource": [
"*" "*"
@ -79,6 +76,11 @@ You can use Attribute-based access control(ABAC) for advanced deployments.
} }
``` ```
### Further improvements
Both policies can be further enhanced by tightening them down following the [principle of least privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege).
Explicitly providing a list of selected zones instead of `*` you can scope the deployment down allowing changes only to zones from the list hence reducing the blast radius and improving auditability.
Additional resources: Additional resources:
- AWS IAM actions [documentation](https://www.awsiamactions.io/?o=route53%3A) - AWS IAM actions [documentation](https://www.awsiamactions.io/?o=route53%3A)