びびなび : World : () World

CMS Hybrid Cloud Phase Three Transition from AWS Permission Boundaries to Service Control Policies








CMS Cloud


CMS Hybrid Cloud Phase Three Transition from AWS Permission Boundaries to Service Control Policies

________________________________________________________________________



Summary

The CMS Hybrid Cloud is announcing the completion of Phase Two (2) Service Control Policy updates. Phase Three (3) involves completing the implementation of Service Control Policies (SCPs) in non-production Organizational Units (OUs) used by non-marketplace Application Development Organizations (ADOs) within the AWS organization service. This phase includes a testing period for ADOs to confirm that SCPs do not restrict access to resources.

*Background and Timeline*

*Starting 12/06/2024, the following changes will take place:*


* Hybrid Cloud will deploy a service control policy entitled "Protected-actions" to the Non-production OUs and non-marketplace ADOs within the AWS Organization. This SCP contains a list of high-risk Application Programing Interface (APIs) that the ADO's cloud access role currently does not have permission to perform. As a result, ADOs should not notice any changes in their access/permissions and will still be able to perform all the necessary actions as they do now.
* This SCP will no longer be limited to Identity and Access Management (IAM) roles prefixed with 'scp-restricted.' Instead, it will now be applied to all ADO's cloud access roles. Consequently, we will be deleting the 'scp-restricted' role that was deployed as part of SCP Phase 2.

* *Please note*: Although the SCP is an exact replica of the permissions boundary, we are not removing the permissions boundary from the ADOs cloud access roles just yet. We will apply the SCP first to the non-production, non-marketplace OUs to ensure it works as expected and does not have any adverse effects.

One of many benefits to applying this SCP is it provides more granular control over high-risk APIs that are currently denied.

*Action Required*

We expect ADOs to use their regular ct-ado* roles to access the AWS account. If you encounter any issues, please open a cloud support ticket [ https://jiraent.cms.gov/secure/Dashboard.jspa ] in the Jira project 'cld-spt', selecting the issue type 'access' and setting the request type to 'AWS Console Access.' Support tickets will be reviewed and updated by your Technical Advisor.

*Questions*

For questions or issues about this change, please contact your assigned Hosting Coordinator. More information on Service Control Policies can be found here [ https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html ].



Office of Information Technology




You are subscribed to receive email messages about CMS Cloud Operations, Changes, and Outages from the Centers for Medicare & Medicaid Services (CMS).

To update your subscription(s), preferences or to stop receiving messages from the CMS Cloud Operations, Changes, and Outages Updates- distribution list, please go to our Subscriber Preferences Page [ https://public.govdelivery.com/accounts/USCMS/subscriber/new?category_id=USCMS_C176 ].

________________________________________________________________________

This email was sent to mshinji3056@gmail.com using GovDelivery Communications Cloud 7500 Security Boulevard · Baltimore MD 21244


body .abe-column-block { min-height: 5px; } table.gd_combo_table img {margin-left:10px; margin-right:10px;} table.gd_combo_table div.govd_image_display img, table.gd_combo_table td.gd_combo_image_cell img {margin-left:0px; margin-right:0px;} table.govd_hr {min-width: 100%;}