-
Feature Request
-
Resolution: Unresolved
-
Blocker
-
None
-
None
Proposed title:
Ability to change the AWS IAM policy that allows assume role permission across all services.
Description:
Our security team has flagged this issue with the ROSA installer role and policy Redhat support, we notice the ManagedOpenShift-Installer-Role-Policy enables ManagedOpenShift-Installer-Role to sts:AssumeRole of "Resource": "*". this is flagged by prisma cloud as a high alert. Namely "AWS IAM policy allows assume role permission across all services".
Can we update Resource": "*" to not all services?
Also can we remove this once we install ROSA?
Reason:
Security. This blocks us from installing our production cluster.
Component:
ROSA installation.
- causes
-
XCMSTRAT-308 ROSA Policies - albo, logging, efs, oadp as managed
- New
-
XCMSTRAT-301 Classic Policies - passrole restriction
- New