Update aws-auth configmap documentation

[joebowbeer]

Describe the problem
The aws-auth configmap documentation needs an update, now that the Cluster Access Manager API has been added and is the preferred way to manage access of AWS IAM principals to Amazon EKS clusters.

Content to update:

• https://github.com/aws/aws-eks-best-practices/blob/master/content/reliability/docs/controlplane.md
• https://github.com/aws/aws-eks-best-practices/blob/master/content/security/docs/detective.md
• https://github.com/aws/aws-eks-best-practices/blob/master/content/security/docs/iam.md

The new Cluster Access Manager is mentioned in iam.md but there is a lot of old and possibly obsolete information preceding it. Suggestion: Move the aws-auth paragraph to the bottom and add a disclaimer.

The User Guide can also use an update. A lot of docs point to the following, which is now essentially obselete:

https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html#aws-auth-configmap

Users should be directed to the following instead?

https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html

References

• https://aws.amazon.com/blogs/containers/a-deep-dive-into-simplified-amazon-eks-access-management-controls/
• [EKS] [request]: Manage IAM identity cluster access with EKS API containers-roadmap#185 (comment)

[rodrigobersa]

Hi @joebowbeer!

We are working on updating the Control Plane and Detective sections with content regarding Cluster Access Manager.

For the IAM section, since the aws-auth is not discontinued yet, we need to keep the documentation for it. As soon as it is not supported anymore, we can remove it. Same for the official Docs.

[joebowbeer]

@rodrigobersa good to hear.

Here are some basic corrections to IAM docs in their current form

#464

[rodrigobersa]

That's nice! Thanks for bringing those up @joebowbeer!

[joebowbeer]

@rodrigobersa I think some of the above has been addressed. (Cool!)

Remaining content to update:

• https://github.com/aws/aws-eks-best-practices/blob/master/content/reliability/docs/controlplane.md
• https://github.com/aws/aws-eks-best-practices/blob/master/content/security/docs/detective.md

These pages only mention aws-auth, e.g.,

https://github.com/aws/aws-eks-best-practices/blob/master/content/reliability/docs/controlplane.md#cluster-authentication

The detective page mentions logging changes to aws-auth and does not include instructions for logging changes to access entries, which I assume would be advisable.

New: I recommend mentioning mkat as a way to verify that IMDSv2 is not accessible from pods.