Vivinavi : Mundo : () World

CMS Hybrid Cloud Phase Two Transition from AWS Permission Boundaries to Service Control Policies








CMS Cloud


CMS Hybrid Cloud Phase Two Transition from AWS Permission Boundaries to Service Control Policies

________________________________________________________________________



Summary

The CMS Hybrid Cloud is announcing the completion of Phase one (1) Service Control Policy updates. Phase two (2) includes the placement of Service Control Policies (SCP's) into non-production Organizational Unit's (OU's) used by non-marketplace Application Development Organizations (ADO's) within the AWS organization service. As part of this implementation there will be a testing phase for ADOs to validate that SCP's do not reduce access to resources.

*Background and Timeline*

Beginning 10/30/2024, the following occurred:


* Hybrid Cloud deployed a service control policy entitled "Protected-actions-v1" to the Non-production OU's and non-marketplace ADOs inside the AWS Organization.
* This SCP is applied to the intended restrictions ONLY for Identity and Access Management (IAM) role's prefixed with 'scp-restricted'.

* ADO teams must validate the new SCP to maintain access by adding the following cloud access role to your AWS account: 'scp-restricted-ado-role'.
* Note - This role is functionally the same as the standard role 'ct-ado-application-admin' but is restricted by a SCP as opposed to a permission boundary.


* After a two (2) week testing period, the Hybrid Cloud Team will replace the protected-actions-v1 SCP with the protected-actions blocking policy.

*Action Required*

Prior to the implementation of the blocking control policy, we are asking ADOs to test the new policy in non-production accounts via Kion and using the role 'scp-restricted-ado-role' to perform their normal day to day operations. If you encounter issues, please open a cloud support ticket in the Jira project [ https://jiraent.cms.gov/secure/Dashboard.jspa ] 'cld-spt' including the issue type of 'access' and the type of request set to 'AWS Console Access'. Support tickets will be reviewed and updated by your Technical Advisor*.*  

*Questions*

For questions or issues about this change, please contact your assigned Hosting Coordinator. You can find more information on Service Control Policies here [ https://cloud.cms.gov/service-control-policies-update ]. 



Office of Information Technology




You are subscribed to receive email messages about CMS Cloud Operations, Changes, and Outages from the Centers for Medicare & Medicaid Services (CMS).

To update your subscription(s), preferences or to stop receiving messages from the CMS Cloud Operations, Changes, and Outages Updates- distribution list, please go to our Subscriber Preferences Page [ https://public.govdelivery.com/accounts/USCMS/subscriber/new?category_id=USCMS_C176 ].

________________________________________________________________________

This email was sent to mshinji3056@gmail.com using GovDelivery Communications Cloud 7500 Security Boulevard · Baltimore MD 21244


body .abe-column-block { min-height: 5px; } table.gd_combo_table img {margin-left:10px; margin-right:10px;} table.gd_combo_table div.govd_image_display img, table.gd_combo_table td.gd_combo_image_cell img {margin-left:0px; margin-right:0px;} table.govd_hr {min-width: 100%;}