お知らせ

No Image
公式アカウント

Final Phase: SCP & Permissions Boundary Update

CMS Hybrid Cloud Logo
Final Phase: SCP & Permissions Boundary Update

________________________________________________________________________



Summary
CMS Hybrid Cloud is announcing the final phase of its Service Control Policies (SCP) deployment, with updates to permissions boundary policies scheduled for *March 31, 2025*. This communication outlines the changes and required actions.

Background and Timeline

On *March 31, 2025*, the following changes will be implemented for v4 AWS Commercial accounts [ https://cloud.cms.gov/cms-cloud-virtual-private-cloud-version-4-architecture ] within the CMS Hybrid Cloud environment:


* CMS Hybrid Cloud will modify the permissions boundary policies:
* ct-ado-poweruser-permissions-boundary-policy
* ct-ado-readonly-permissions-boundary-policy
* developer-boundary-policy

* The current "Deny" statements within these policies will be replaced with a single "Allow" statement (all actions (*) on all resources (*)) within the defined permissions boundary.

Impact

This modification effectively removes the prior requirement [ https://cloud.cms.gov/managing-cloudtamer-cms-permission-boundary ] for Path and Permissions Boundary attributes when creating IAM resources.  v4 AWS Commercial users will no longer have to provide a "Path" or "Permissions Boundary" attribute when creating new IAM Roles or Policies. Existing Roles and Policies will continue to work as is with no changes. Any automation (like Terraform or AWS CloudFormation templates) that references the "Path" or "Permissions Boundary" attributes will also continue to work as is. Our recommendation is that you modify any IAM role/policy creation scripts or Infrastructure As Code (IaC) templates to no longer reference the permissions boundary, at your own convenience, but this is NOT a time sensitive or required change. The CMS Hybrid Cloud team does not intend to delete the "Permissions Boundary" at this time. 

 

*V3 [ https://cloud.cms.gov/cms-cloud-virtual-private-cloud-version-3-architecture ] and AWS GovCloud Accounts [ https://cloud.cms.gov/aws-govcloud-available-cms-cloud ]:*  If you are operating within a V3 Account in the AWS Commercial Enclave or within a CMS Hybrid Cloud AWS GovCloud account, and are using IAM users to log into your AWS accounts (vs using Kion [ https://cloudtamer.cms.gov/ ]) then these changes have not yet been completed for your accounts. Please continue to operate as is for these accounts. A separate announcement will be made for those accounts at a later date. 

Details

Our recent deployment of new SCPs [ https://cloud.cms.gov/service-control-policies-update ] has made these permissions boundaries redundant in v4 AWS Commercial Accounts.  The SCPs perform a similar function to that of the current permissions boundaries, in that they restrict usage of unapproved services and high risk AWS APIs. SCPs do not require the use of additional IAM attributes like Path or Permissions Boundary when creating IAM resources. This simplifies general IAM usage and improves the user experience with frameworks like AWS SAM [ https://aws.amazon.com/serverless/sam/ ] and AWS CDK [ https://aws.amazon.com/cdk/ ].  

Action Required
Since the SCPs overlap with the previous Permissions Boundaries, no change is expected in your accounts. No testing is required by the Application Teams. Please evaluate your IaC projects and consider removing references to the Path and Permissions Boundary attributes. Please continue to use your regular Kion roles to access the AWS account. In the event of any issues, please create a cloud support ticket [ https://jiraent.cms.gov/plugins/servlet/desk/portal/22 ]. Select "Service Request" as the issue type and set the request type to "Permissions (AWS IAM)". Support tickets will be reviewed and updated by your Technical Advisor.

Questions

For questions or issues regarding this change, please contact your assigned Hosting Coordinator. More information on SCPs can be found at the Service Control Policies AWS [ https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html ] page.


Office of Information Technology


You are subscribed to receive email messages about CMS Cloud Operations, Changes, and Outages from the Centers for Medicare & Medicaid Services (CMS).

To update your subscription(s), preferences or to stop receiving messages from the CMS Cloud Operations, Changes, and Outages Updates- distribution list, please go to our Subscriber Preferences Page [ https://public.govdelivery.com/accounts/USCMS/subscriber/new?category_id=USCMS_C176 ].

________________________________________________________________________

This email was sent to mshinji3056@gmail.com using GovDelivery Communications Cloud 7500 Security Boulevard · Baltimore MD 21244


body .abe-column-block { min-height: 5px; } table.gd_combo_table img {margin-left:10px; margin-right:10px;} table.gd_combo_table div.govd_image_display img, table.gd_combo_table td.gd_combo_image_cell img {margin-left:0px; margin-right:0px;} table.govd_hr {min-width: 100%;}
  • [登録者]Centers for Medicare & Medicaid Services (CMS)
  • [言語]日本語
  • [エリア]Baltimore, MD
  • 登録日 : 2025/03/27
  • 掲載日 : 2025/03/27
  • 変更日 : 2025/03/27
  • 総閲覧数 : 10 人
Web Access No.2652451
“自治体からのお知らせ” トップページへ戻る