In case it wasn't clear, this is the note I was replying to, with:
I saw this, it's fine (not that we can say no). I don't think any of
this activity will impact CI operations at all. Worst case is we'll get
more (fake) Red-Alterts from that "Trusted Advisor" bot.
Chris Evich (he/him), RHCA III
Senior Quality Assurance Engineer
If it ain't broke, your hammer isn't wide 'nough.
On 1/24/23 23:23, James Russell wrote:
You're receiving this because your email is an Operations Contact
least 1 AWS account under the PGE Cloud Ops (PCO) Payer Account. [Is
this email wrong? Let us know. See below.]
* Heads up: some IAM roles will be installed in your AWS account(s).
* Each AWS account has been configured to forward AWS operational &
security notices to the Operations Contact (your email).
* A centrally-managed Jump Account is being established for Cost
IAM Roles to be installed
This is *advance****warning* that the PCO team will install IAM roles
into your account *this week* to facilitate administration. These roles
provide Red Hat staff to STS::AssumeRole into your account in the
- Cost Center technical operations staff may enter accounts owned by
that cost center, with AdministratorAccess privileges. (This is
equivalent to the access that the Cost Center staff currently have via
the old payer accounts & OrganizationAccountAccessRole).
- InfoSec may enter all AWS accounts with Read-Only privileges, to
facilitate security incident response and security health checks.
- IT Hybrid Cloud Infra may enter an AWS account to install IAM roles
that support Single-Sign-On. (NB: This does _not_ mean your account will
automatically convert to SSO. That decision is at your discretion, and
will be made available at a later date).
The roles are named:
For those reviewing CloudTrail logs: The installation will be performed
via the OrganizationAccountAccessRole from the payer
account 329260820478. Once installed, the roles can only be assumed from
the new Jump Account (111502134595).
A Service Control Policy (SCP) will prevent deletion or modification of
Security & Operational Contacts
Each account's "Alternate Contacts" have been configured so that
Security & Operations notices from AWS will be sent to the Operations
Contact that we have on file for the account. [You can inspect each
account's operational contacts in this spreadsheet
If any corrections need to be made, please add a comment on the cell.]
This means that you will receive notices from AWS such as credentials
leaks, EC2 retirement warnings, and required upgrades.
PCO is currently preparing a managed Jump Account for the Cost Center
administrators and Infosec, to support easily inspecting & administering
the accounts in their purview. This Jump Account is intended to replace
the retired ex-Payer Accounts that were often used as Jump Accounts for
individual cost center owners.
PCO will be in touch in the coming weeks with more information about the
new Jump Account.
If there are any questions or concerns, please let me know.
Thanks for your attention,
Product & Global Engineering Cloud Ops (PCO)
Red Hat Inc
Podman-monitor mailing list -- podman-monitor(a)lists.podman.io
To unsubscribe send an email to podman-monitor-leave(a)lists.podman.io