AWS account administration updates
by James Russell
You're receiving this because your email is an Operations Contact for at
least 1 AWS account under the PGE Cloud Ops (PCO) Payer Account. [Is this
email wrong? Let us know. See below.]
*TLDR:*
- Heads up: some IAM roles will be installed in your AWS account(s).
- Each AWS account has been configured to forward AWS operational &
security notices to the Operations Contact (your email).
- A centrally-managed Jump Account is being established for Cost Center
admins.
IAM Roles to be installed
This is *advance* *warning* that the PCO team will install IAM roles into
your account *this week* to facilitate administration. These roles provide
Red Hat staff to STS::AssumeRole into your account in the following ways:
- Cost Center technical operations staff may enter accounts owned by that
cost center, with AdministratorAccess privileges. (This is equivalent to
the access that the Cost Center staff currently have via the old payer
accounts & OrganizationAccountAccessRole).
- InfoSec may enter all AWS accounts with Read-Only privileges, to
facilitate security incident response and security health checks.
- IT Hybrid Cloud Infra may enter an AWS account to install IAM roles that
support Single-Sign-On. (NB: This does *not* mean your account will
automatically convert to SSO. That decision is at your discretion, and will
be made available at a later date).
The roles are named:
- pco/pco-role-admin
- pco/pco-admin
- pco/pco-readonly
- pco/RedHatIT-HCI-SSO-admin
For those reviewing CloudTrail logs: The installation will be performed via
the OrganizationAccountAccessRole from the payer account 329260820478. Once
installed, the roles can only be assumed from the new Jump Account
(111502134595).
A Service Control Policy (SCP) will prevent deletion or modification of
these roles.
Security & Operational Contacts
Each account's "Alternate Contacts" have been configured so that Security &
Operations notices from AWS will be sent to the Operations Contact that we
have on file for the account. [You can inspect each account's operational
contacts in this spreadsheet
<https://docs.google.com/spreadsheets/d/1iAlX4yVPVEjAElZGn9rRLoWxMGOxCWzwr...>.
If any corrections need to be made, please add a comment on the cell.]
This means that you will receive notices from AWS such as credentials
leaks, EC2 retirement warnings, and required upgrades.
Jump Account
PCO is currently preparing a managed Jump Account for the Cost Center
administrators and Infosec, to support easily inspecting & administering
the accounts in their purview. This Jump Account is intended to replace the
retired ex-Payer Accounts that were often used as Jump Accounts for
individual cost center owners.
PCO will be in touch in the coming weeks with more information about the
new Jump Account.
If there are any questions or concerns, please let me know.
Thanks for your attention,
James Russell
--
James Russell
Product & Global Engineering Cloud Ops (PCO)
Red Hat Inc
4 months, 1 week
Re: podman-monitor@lists.podman.io post from jrussell@redhat.com requires approval
by Chris Evich
Tom, et al.,
I saw this, it's fine (not that we can say no). I don't think any of
this activity will impact CI operations at all. Worst case is we'll get
more (fake) Red-Alterts from that "Trusted Advisor" bot.
---
Chris Evich (he/him), RHCA III
Senior Quality Assurance Engineer
If it ain't broke, your hammer isn't wide 'nough.
On 1/24/23 23:23, root(a)podman.io wrote:
> As list administrator, your authorization is requested for the
> following mailing list posting:
>
> List: podman-monitor(a)lists.podman.io
> From: jrussell(a)redhat.com
> Subject: AWS account administration updates
>
> The message is being held because:
>
> The message is not from a list member
>
> At your convenience, visit your dashboard to approve or deny the
> request.
4 months, 1 week
Orphaned GCP VMs
by Do Not Reply
Detected 2 Orphan VM(s):
Orphaned libpod-218412 VMs:
* VM packer-63c6f61b-b883-70d3-90df-b859507229f8 running 7 days with labels 'release=fedora-37;sfx=230117f37p36u2204;src=prior-fedora-b230117f37p36u2204;stage=cache'
Orphaned AWS EC2 VMs:
* VM fedora-netavark-aws-arm64-c230117f37p36u2204 running 7 days
# Source: check_orphan_vms workflow on containers/automation_images.
This message was generated by an automated system. Replies to the sender will bounce, be ignored and discarded.
4 months, 1 week
