In case somebody looks for a quick summary of "this" in "...and then this happened". There's no single "this". It was many steps and eventually AWS rolled out a fix a month later.
(One of the authors here) That's absolutely true. Not easy to summarize the hard work involved on all sides in a short title: finding an issue, communicating it to the security team and then resolving the issue.
A slightly longer version of 'this': AWS really swiftly acknowledged the issue and fixed it in the latest version of AWS CDK. In case you use the `eks.Cluster` component of the AWS CDK, and you use AWS CDK <v2.80.0 or <v1.202.0 you are affected by this issue, Update the CDK to resolve it.
If you want to learn more about what the issue was exactly, I'd be happy if you give the blog post a read :)
Totally agree, I was expecting AWS to have done something shocking in response to their finding. No need to undermine their own work with a clickbait title.
The clickbait title is undermines the seriousness of this issue.
In case it wasn’t explained clearly in this blog post, the IAM role that creates an EKS cluster becomes sort of the “principal” of the cluster and has default system:masters privileges. These permissions are typically handled by the aws-auth configmap, but for this initial creator of the cluster, as the article explains, is not added to this map but retains system:master permissions anyway. So making this CDK role tied to this invisible permission is quite a big deal.
As a best practice in my cluster creation automation I typically add the role that created the cluster to the aws-auth configmap right away. However, due to this bug, any clusters created with the flaw described in the article will pretty much need to be recreated from scratch, as I am not aware of a way to remove this invisible permission from EKS. It’s one of the “features” of EKS I’ve always hated the most.
I can’t believe no one noticed this in nearly 3 years.
6 comments
[ 3.1 ms ] story [ 28.3 ms ] threadA slightly longer version of 'this': AWS really swiftly acknowledged the issue and fixed it in the latest version of AWS CDK. In case you use the `eks.Cluster` component of the AWS CDK, and you use AWS CDK <v2.80.0 or <v1.202.0 you are affected by this issue, Update the CDK to resolve it.
If you want to learn more about what the issue was exactly, I'd be happy if you give the blog post a read :)
In case it wasn’t explained clearly in this blog post, the IAM role that creates an EKS cluster becomes sort of the “principal” of the cluster and has default system:masters privileges. These permissions are typically handled by the aws-auth configmap, but for this initial creator of the cluster, as the article explains, is not added to this map but retains system:master permissions anyway. So making this CDK role tied to this invisible permission is quite a big deal.
As a best practice in my cluster creation automation I typically add the role that created the cluster to the aws-auth configmap right away. However, due to this bug, any clusters created with the flaw described in the article will pretty much need to be recreated from scratch, as I am not aware of a way to remove this invisible permission from EKS. It’s one of the “features” of EKS I’ve always hated the most.
I can’t believe no one noticed this in nearly 3 years.