Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade RDS DB Cert (AWS) - review before end of Feb #349

Open
ckarpinski opened this issue Dec 28, 2023 · 1 comment
Open

Upgrade RDS DB Cert (AWS) - review before end of Feb #349

ckarpinski opened this issue Dec 28, 2023 · 1 comment
Assignees
@aprilrieger

Comments

@ckarpinski
Copy link
Contributor

Here is another AWS Alert to review

Hi Christy,
This email below relates to the services the SoftServ folks run. These resources, particularly:
r2-atla-dl-eks-service-role | AWSServiceRoleForAmazonEKS | AWS::IAM::Role | N/A | N/A | 2023-07-28
r2-atla-samvera-eks-service-role | AWSServiceRoleForAmazonEKS | AWS::IAM::Role | N/A | N/A | 2023-07-26
r2-atla-samvera-node-instance-role | NodeInstanceRole | AWS::IAM::Role | N/A | N/A | 2023-07-27

Hello,

We are reaching out because AWS CloudFormation identified an issue when creating or modifying tags which requires your action before February 29, 2024. AWS CloudFormation enables users to model and manage infrastructure resources in an automated and secure manner. When performing a CloudFormation stack operation to create, modify, or remove tags, if the IAM principal used for that operation did not have permissions to perform the tagging operation, the tags specified in the CloudFormation template would not match the tags applied to the resource. As a result, if you are using Attribute-Based Access Control (ABAC) [1], your IAM policies may have granted permissions when you did not intend to grant, and denying permissions when you did not intend to deny. We have fixed this issue, however, to give you time to update your IAM principals, we have added your account to an allow list so that you will continue to see the existing tagging behavior until we remove your account from the allow list on February 29, 2024. After this date, CloudFormation stack operations will fail when you attempt to create, modify, or remove tags but do not have the required permissions.

When customers use tags for ABAC or for cost allocation, they require their resources to be tagged. We identified that your account has performed a CloudFormation stack operation to create, modify, or remove tags.

Please refer to the "Affected Resources" tab of your AWS Health Dashboard for a list of resources with unsuccessful tagging operations in the following format: stack_name | logical_id | type_name | missing_permission | role_name | date

For each resource, you can identify the IAM principal that you used to perform the CloudFormation stack operation, along with the specific tagging permission that is missing. If role_name and missing_permission are N/A, it indicates that we were unable to automatically identify this information for you. Please refer to the AWS Knowledge Center article [2] to identify the IAM role used to modify the associated stack. You can identify the missing permissions based on affected resource type. For example, you will need to add iam:TagRole, iam:UntagRole and/or iam:ListRoleTags permissions to tag AWS::IAM::Role resources.

We recommend that you evaluate the missing permissions and update your IAM policies [3] where appropriate to ensure that your future tagging operations are successful. Once you have added the necessary permissions, your future tagging changes will succeed, however the tags on your existing resources may not match with the tags in your CloudFormation template. We recommend that you compare the tags you specified in your template with the tag currently applied to your resources. Please refer to the AWS Knowledge Center article [2] for more details.

If you have any questions or concerns, please contact AWS Support [4].

[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
[2] https://repost.aws/knowledge-center/cloudformation-resource-tagging-errors
[3] https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html
[4] https://aws.amazon.com/support

Sincerely,
Amazon Web Services

Amazon Web Services, Inc. is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message was produced and distributed by Amazon Web Services Inc., 410 Terry Ave. North, Seattle, WA 98109-5210

Reference: https://health.aws.amazon.com/health/home?region=us-east-1#/event-log?eventID=arn:aws:health:us-west-2::event/CLOUDFORMATION/AWS_CLOUDFORMATION_SECURITY_NOTIFICATION/AWS_CLOUDFORMATION_SECURITY_NOTIFICATION_3b4d5a7e293505581f4d4e5b74d1a1a262af21c00bd25df9f338bea366ce424d&eventTab=details
@ckarpinski ckarpinski converted this from a draft issue Dec 28, 2023
@aprilrieger aprilrieger moved this from Ready for Development to In Development in atla_digital_library Jan 17, 2024
@aprilrieger aprilrieger changed the title AWS Alert - review before end of Feb Upgrade RDS DB Cert (AWS) - review before end of Feb Jan 17, 2024
@aprilrieger aprilrieger self-assigned this Jan 17, 2024
@aprilrieger aprilrieger moved this from In Development to Client Verification in atla_digital_library Jan 17, 2024
@aprilrieger
Copy link
Contributor

@ckarpinski this work got accomplished this evening without downtime on the applications.

@ckarpinski ckarpinski moved this from Client Verification to Done in atla_digital_library Jan 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aprilrieger aprilrieger

Labels
None yet
Projects
atla_digital_library
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ckarpinski @aprilrieger