From 94e216d407578931a46cb09da1b7a5f8d29f32ab Mon Sep 17 00:00:00 2001
From: guessi <guessi@gmail.com>
Date: Fri, 30 May 2025 09:18:20 +0800
Subject: [PATCH] chore(iam): follow the best practice to use
 "AmazonEC2ContainerRegistryPullOnly" only

---
 .../resources/com/amazonaws/cdk/EksFargateStackExpected.json    | 2 +-
 .../java/com/amazonaws/cdk/examples/EksPrivateClusterStack.java | 2 +-
 typescript/eks/cluster/index.ts                                 | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/java/eks/fargate-cluster/src/test/resources/com/amazonaws/cdk/EksFargateStackExpected.json b/java/eks/fargate-cluster/src/test/resources/com/amazonaws/cdk/EksFargateStackExpected.json
index 0d63e518fe..a5ad6720f4 100644
--- a/java/eks/fargate-cluster/src/test/resources/com/amazonaws/cdk/EksFargateStackExpected.json
+++ b/java/eks/fargate-cluster/src/test/resources/com/amazonaws/cdk/EksFargateStackExpected.json
@@ -104,7 +104,7 @@
                 {
                   "Ref": "AWS::Partition"
                 },
-                ":iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+                ":iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
               ]
             ]
           },
diff --git a/java/eks/private-cluster/src/main/java/com/amazonaws/cdk/examples/EksPrivateClusterStack.java b/java/eks/private-cluster/src/main/java/com/amazonaws/cdk/examples/EksPrivateClusterStack.java
index 7b6dfa4e26..80d8ba4e87 100644
--- a/java/eks/private-cluster/src/main/java/com/amazonaws/cdk/examples/EksPrivateClusterStack.java
+++ b/java/eks/private-cluster/src/main/java/com/amazonaws/cdk/examples/EksPrivateClusterStack.java
@@ -175,7 +175,7 @@ private void createBastion(Role clusterAdmin) {
     client
         .getRole()
         .addManagedPolicy(
-            ManagedPolicy.fromAwsManagedPolicyName("AmazonEC2ContainerRegistryReadOnly"));
+            ManagedPolicy.fromAwsManagedPolicyName("AmazonEC2ContainerRegistryPullOnly"));
     // access to read assets from S3 bucket e.g. kubectl, awscliv2, etc
     client
         .getRole()
diff --git a/typescript/eks/cluster/index.ts b/typescript/eks/cluster/index.ts
index d5ea4fb62b..71d6fe73d5 100644
--- a/typescript/eks/cluster/index.ts
+++ b/typescript/eks/cluster/index.ts
@@ -51,7 +51,7 @@ class EKSCluster extends cdk.Stack {
         assumedBy: new iam.ServicePrincipal("ec2.amazonaws.com"),
         managedPolicies: [
           "AmazonEKSWorkerNodePolicy",
-          "AmazonEC2ContainerRegistryReadOnly",
+          "AmazonEC2ContainerRegistryPullOnly",
           "AmazonEKS_CNI_Policy",
         ].map((policy) => iam.ManagedPolicy.fromAwsManagedPolicyName(policy)),
       }),