11:23 p.m.
You're receiving this because your email is an Operations Contact for at
least 1 AWS account under the PGE Cloud Ops (PCO) Payer Account. [Is this
email wrong? Let us know. See below.]
*TLDR:*
- Heads up: some IAM roles will be installed in your AWS account(s).
- Each AWS account has been configured to forward AWS operational &
security notices to the Operations Contact (your email).
- A centrally-managed Jump Account is being established for Cost Center
admins.
IAM Roles to be installed
This is *advance* *warning* that the PCO team will install IAM roles into
your account *this week* to facilitate administration. These roles provide
Red Hat staff to STS::AssumeRole into your account in the following ways:
- Cost Center technical operations staff may enter accounts owned by that
cost center, with AdministratorAccess privileges. (This is equivalent to
the access that the Cost Center staff currently have via the old payer
accounts & OrganizationAccountAccessRole).
- InfoSec may enter all AWS accounts with Read-Only privileges, to
facilitate security incident response and security health checks.
- IT Hybrid Cloud Infra may enter an AWS account to install IAM roles that
support Single-Sign-On. (NB: This does *not* mean your account will
automatically convert to SSO. That decision is at your discretion, and will
be made available at a later date).
The roles are named:
- pco/pco-role-admin
- pco/pco-admin
- pco/pco-readonly
- pco/RedHatIT-HCI-SSO-admin
For those reviewing CloudTrail logs: The installation will be performed via
the OrganizationAccountAccessRole from the payer account 329260820478. Once
installed, the roles can only be assumed from the new Jump Account
(111502134595).
A Service Control Policy (SCP) will prevent deletion or modification of
these roles.
Security & Operational Contacts
Each account's "Alternate Contacts" have been configured so that Security
&
Operations notices from AWS will be sent to the Operations Contact that we
have on file for the account. [You can inspect each account's operational
contacts in this spreadsheet
<https://docs.google.com/spreadsheets/d/1iAlX4yVPVEjAElZGn9rRLoWxMGOxCWzwr...;.
If any corrections need to be made, please add a comment on the cell.]
This means that you will receive notices from AWS such as credentials
leaks, EC2 retirement warnings, and required upgrades.
Jump Account
PCO is currently preparing a managed Jump Account for the Cost Center
administrators and Infosec, to support easily inspecting & administering
the accounts in their purview. This Jump Account is intended to replace the
retired ex-Payer Accounts that were often used as Jump Accounts for
individual cost center owners.
PCO will be in touch in the coming weeks with more information about the
new Jump Account.
If there are any questions or concerns, please let me know.
Thanks for your attention,
James Russell
--
James Russell
Product & Global Engineering Cloud Ops (PCO)
Red Hat Inc
3 p.m.
In case it wasn't clear, this is the note I was replying to, with:
"""
I saw this, it's fine (not that we can say no). I don't think any of
this activity will impact CI operations at all. Worst case is we'll get
more (fake) Red-Alterts from that "Trusted Advisor" bot.
"""
---
Chris Evich (he/him), RHCA III
Senior Quality Assurance Engineer
If it ain't broke, your hammer isn't wide 'nough.
On 1/24/23 23:23, James Russell wrote:
You're receiving this because your email is an Operations Contact
for at
least 1 AWS account under the PGE Cloud Ops (PCO) Payer Account. [Is
this email wrong? Let us know. See below.]
*TLDR:*
* Heads up: some IAM roles will be installed in your AWS account(s).
* Each AWS account has been configured to forward AWS operational &
security notices to the Operations Contact (your email).
* A centrally-managed Jump Account is being established for Cost
Center admins.
IAM Roles to be installed
This is *advance****warning* that the PCO team will install IAM roles
into your account *this week* to facilitate administration. These roles
provide Red Hat staff to STS::AssumeRole into your account in the
following ways:
- Cost Center technical operations staff may enter accounts owned by
that cost center, with AdministratorAccess privileges. (This is
equivalent to the access that the Cost Center staff currently have via
the old payer accounts & OrganizationAccountAccessRole).
- InfoSec may enter all AWS accounts with Read-Only privileges, to
facilitate security incident response and security health checks.
- IT Hybrid Cloud Infra may enter an AWS account to install IAM roles
that support Single-Sign-On. (NB: This does _not_ mean your account will
automatically convert to SSO. That decision is at your discretion, and
will be made available at a later date).
The roles are named:
- pco/pco-role-admin
- pco/pco-admin
- pco/pco-readonly
- pco/RedHatIT-HCI-SSO-admin
For those reviewing CloudTrail logs: The installation will be performed
via the OrganizationAccountAccessRole from the payer
account 329260820478. Once installed, the roles can only be assumed from
the new Jump Account (111502134595).
A Service Control Policy (SCP) will prevent deletion or modification of
these roles.
Security & Operational Contacts
Each account's "Alternate Contacts" have been configured so that
Security & Operations notices from AWS will be sent to the Operations
Contact that we have on file for the account. [You can inspect each
account's operational contacts in this spreadsheet
<https://docs.google.com/spreadsheets/d/1iAlX4yVPVEjAElZGn9rRLoWxMGOxCWzwr...;.
If any corrections need to be made, please add a comment on the cell.]
This means that you will receive notices from AWS such as credentials
leaks, EC2 retirement warnings, and required upgrades.
Jump Account
PCO is currently preparing a managed Jump Account for the Cost Center
administrators and Infosec, to support easily inspecting & administering
the accounts in their purview. This Jump Account is intended to replace
the retired ex-Payer Accounts that were often used as Jump Accounts for
individual cost center owners.
PCO will be in touch in the coming weeks with more information about the
new Jump Account.
If there are any questions or concerns, please let me know.
Thanks for your attention,
James Russell
--
James Russell
Product & Global Engineering Cloud Ops (PCO)
Red Hat Inc
_______________________________________________
Podman-monitor mailing list -- podman-monitor(a)lists.podman.io
To unsubscribe send an email to podman-monitor-leave(a)lists.podman.io
244
days inactive
244
days old
podman-monitor@lists.podman.io
1 comments
2 participants
participants (2)
-
Chris Evich -
James Russell