Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-3432

[RFE] 03352278 | ROSA - AWS Asset Vulnerability with IAM policy for ManagedOpenShift-Installer-Role-Policy

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Blocker Blocker
    • None
    • None
    • Installer

      Proposed title:

      Ability to change the AWS IAM policy that allows assume role permission across all services.

       

      Description:

      Our security team has flagged this issue with the ROSA installer role and policy Redhat support, we notice the ManagedOpenShift-Installer-Role-Policy enables ManagedOpenShift-Installer-Role to sts:AssumeRole of "Resource": "*". this is flagged by prisma cloud as a high alert. Namely "AWS IAM policy allows assume role permission across all services".

      Can we update Resource": "*" to not all services?

      Also can we remove this once we install ROSA?

       

      Reason:

      Security. This blocks us from installing our production cluster.

       

      Component:

      ROSA installation.

            rh-ee-adejong Aaren de Jong
            rhn-support-dcaldwel David Caldwell (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated: