Announcing AWS Managed IAM Policies for ROSA with Hosted Control Planes

This post provides deep insights into the new AWS (Amazon Web Services) managed policies for ROSA (Red Hat OpenShift Service on AWS) that will change your AWS experience for the better. Eleven new AWS managed policies for ROSA with Hosted Control Planes (HCP) is now in technology preview. The significant feature of these managed policies is that they provide narrowly scopes permissions for the IAM (Identity and Access Management) roles that ROSA uses to manage your cluster infrastructure. Plus, they assure that these permissions stay up-to-date with the new OpenShift versions.

What are AWS Managed IAM Policies for ROSA?

AWS Managed IAM Policies for ROSA are standards of permissions that provide access to AWS resources. These permissions specify the actions you can carry out on AWS resources. IAM policies typify who (principal) draws on what actions (such as view, create or delete), on which resources, and when conditions are met, such as IP, time, whether the user authenticated using MFA (Multi-Factor Authentication).

AWS managed policies for ROSA are designed to offer effective access management to various AWS resources. A significant feature of these policies is that they can keep permissions updated with every new OpenShift version.

The Relevance of AWS Managed IAM Policies for ROSA

The ROSA service model depends on the AWS IAM for multiple aspects of its functions, including deployment and ongoing operations. Instead of requiring the customers to manually manage these policies, AWS and Red Hat have now introduced automated IAM policies to simplify the process.

Here’s why this development is crucial:

1. Efficient Operations

The introduced policies effectively remove grunt work from your plate, enabling you more time to focus on matters that require your expertise more, such as optimizing your deployments for performance and cost.

2. Enhanced Security

Using AWS managed policies improves security. It ensures that permissions are accurate and not overly generous, thus limiting potential issues from over-provisioning access.

3. Streamlined Upgrades

These policies also guarantee that as newer OpenShift versions are released, the essential IAM permissions stay in sync without needing any manual intervention.

AWS Managed IAM Policies for ROSA: A Closer Look

AWS and OpenShift teams have collaborated to provide eleven new managed policies that automate and streamline the creation and management of permissions needed to run ROSA. These policies correlate with the IAM roles that ROSA uses to manage your cluster infrastructure.

Rather than enabling broad permissions, these IAM policies grant precise privileges depending on the resource and action. This practice ensures that the least privilege principle, a key security best practice, is maintained. Moreover, this also relieves you from ongoing policy management, as AWS managed policies are updated automatically.

The following provides an overview of the AWS managed policies for ROSA:

  • rosa.openshift.io.osdCcsAdmin: Full administrative access to infrastructure resources.
  • rosa.openshift.io.osdManagedAdmin: Managed administrative permissions.
  • rosa.openshift.io.osdManagedAdminSRE: Managed administrative access that includes SRE permissions.
  • rosa.openshift.io.osdCcsSRE: Full administrative access, including SRE permissions.
  • rosa.openshift.io.osdManagedAgnhost: Managed permissions for Agnhost operations.
  • rosa.openshift.io.osdManagedMetricsExporter: Managed permissions for metrics exporting.
  • rosa.openshift.io.osdCcsMetricsExporter: Full permissions to export metrics.
  • rosa.openshift.io.osdManagedNode: Managed permissions for node operations.
  • rosa.openshift.io.osdCcsNode: Full permissions for node operations.
  • rosa.openshift.io.osdManagedOperatorMetrics: Managed permissions related to operator metrics.
  • rosa.openshift.io.osdCcsOperatorMetrics: Full permissions to operator metrics.

Conclusion

AWS Managed IAM Policies for ROSA bring several benefits to users, including increased operational efficiency, enhanced security, and streamlined application upgrades. By automating the process of creating and managing permissions, these policies help eliminate manual management, improve accuracy, reduce security risks, and ensure seamless synchronization of permissions with new OpenShift versions.

Adopting these managed policies will not only improve your security posture but will also provide you plenty of time to concentrate on optimizing your deployments. After all, IAM is a fundamental piece of your security posture, ensuring the right people have the right access at the right times. With AWS Managed IAM Policies in place, you can leverage fine-grained access control to protect your valuable AWS resources.

The introduction of AWS Managed IAM Policies for ROSA proves the commitment of AWS and OpenShift towards making cloud operations efficient, secure, and less complex. So take a step forward, embrace these policies, and enjoy a more streamlined AWS experience!