Merge pull request #55066 from EricPonvelle/OSDOCS-4813_Add-SCP-Info

EricPonvelle · web-flow · commit b52ab7e3613b · 2023-02-02T16:17:18.000-05:00
OSDOCS-4813: Added the SCP requirements to AWS STS prerequisites
diff --git a/modules/rosa-aws-scp.adoc b/modules/rosa-aws-scp.adoc
@@ -1,16 +1,42 @@
 // Module included in the following assemblies:
 //
-// * rosa_getting_started/rosa-aws-prereqs.adoc
+// * rosa_architecture/rosa-sts-about-iam-resources.adoc
+//
+// * rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc
+//
 
 [id="rosa-minimum-scp_{context}"]
-== Minimum required service control policy (SCP)
+= Minimum required service control policy (SCP)
+
+Service control policies (SCP) are a type of organization policy that manages permissions within your organization. SCPs ensure that accounts within your organization stay within your defined access control guidelines. These polices are maintained in the AWS Organizations and control the services that are available within the attached AWS accounts. SCP management is the responsibility of the customer.
+
+ifeval::["{context}" == "rosa-sts-about-iam-resources"]
+:aws-sts:
+endif::[]
+
+ifeval::["{context}" == "prerequisites"]
+:aws-non-sts:
+endif::[]
+
+ifdef::aws-sts[]
+[NOTE]
+====
+When using AWS Security Token Service (STS), you must ensure that the service control policy does not block the following resources:
 
-Service control policy (SCP) management is the responsibility of the customer. These policies are maintained in the AWS Organizations and control what services are available within the attached AWS accounts.
+* `ec2:{}`
+* `iam:{}`
+* `tag:*`
+====
+endif::aws-sts[]
 
+ifdef::aws-non-sts[]
 [NOTE]
 ====
 The minimum SCP requirement does not apply when using AWS security token service (STS). For more information about STS, see link:https://docs.openshift.com/rosa/rosa_getting_started_sts/rosa-sts-aws-prereqs.html[AWS prerequisites for ROSA with STS].
 ====
+endif::aws-non-sts[]
+
+Verify that your service control policy (SCP) does not restrict any of these required permissions.
 
 [cols="2a,2a,2a,2a",options="header"]
 
@@ -20,7 +46,7 @@ The minimum SCP requirement does not apply when using AWS security token service
 | Actions
 | Effect
 
-.15+| Required
+.16+| Required
 |Amazon EC2 | All |Allow
 |Amazon EC2 Auto Scaling | All |Allow
 |Amazon S3| All |Allow
@@ -33,6 +59,12 @@ The minimum SCP requirement does not apply when using AWS security token service
 |AWS Support | All |Allow
 |AWS Key Management Service | All |Allow
 |AWS Security Token Service | All |Allow
+|AWS Marketplace | Subscribe 
+
+Unsubscribe
+
+View Subscriptions
+| Allow 
 |AWS Resource Tagging | All |Allow
 |AWS Route53 DNS | All |Allow
 |AWS Service Quotas | ListServices
@@ -47,9 +79,7 @@ ListServiceQuotas
 | Allow
 
 
-.3+|Optional
-
-| AWS Billing
+.3+|Optional | AWS Billing
 | ViewAccount
 
 Viewbilling
@@ -68,141 +98,7 @@ ViewUsage
 
 |===
 
-----
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:*"
-            ],
-            "Resource": [
-                "*"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "autoscaling:*"
-            ],
-            "Resource": [
-                "*"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "s3:*"
-            ],
-            "Resource": [
-                "*"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "iam:*"
-            ],
-            "Resource": [
-                "*"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "elasticloadbalancing:*"
-            ],
-            "Resource": [
-                "*"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "cloudwatch:*"
-            ],
-            "Resource": [
-                "*"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "events:*"
-            ],
-            "Resource": [
-                "*"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "logs:*"
-            ],
-            "Resource": [
-                "*"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "support:*"
-            ],
-            "Resource": [
-                "*"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "kms:*"
-            ],
-            "Resource": [
-                "*"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "sts:*"
-            ],
-            "Resource": [
-                "*"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "tag:*"
-            ],
-            "Resource": [
-                "*"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "route53:*"
-            ],
-            "Resource": [
-                "*"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "servicequotas:ListServices",
-                "servicequotas:GetRequestedServiceQuotaChange",
-                "servicequotas:GetServiceQuota",
-                "servicequotas:RequestServiceQuotaIncrease",
-                "servicequotas:ListServiceQuotas"
-            ],
-            "Resource": [
-                "*"
-            ]
-        }
-    ]
-}
-
-----
+[role="_additional-resources"]
+.Additional resources
+
+* link:https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html[Service control policies]
diff --git a/rosa_architecture/rosa-sts-about-iam-resources.adoc b/rosa_architecture/rosa-sts-about-iam-resources.adoc
@@ -87,3 +87,4 @@ include::modules/rosa-sts-about-operator-role-prefixes.adoc[leveloffset=+2]
 
 include::modules/rosa-sts-oidc-provider.adoc[leveloffset=+1]
 include::modules/rosa-sts-oidc-provider-command.adoc[leveloffset=+2]
+include::modules/rosa-aws-scp.adoc[leveloffset=+1]
diff --git a/rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc b/rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc
@@ -16,7 +16,7 @@ include::snippets/rosa-sts.adoc[]
 include::modules/rosa-aws-understand.adoc[leveloffset=+1]
 include::modules/rosa-aws-requirements.adoc[leveloffset=+1]
 include::modules/rosa-aws-procedure.adoc[leveloffset=+1]
-include::modules/rosa-aws-scp.adoc[leveloffset=+1]
+include::modules/rosa-aws-scp.adoc[leveloffset=+2]
 include::modules/rosa-aws-iam.adoc[leveloffset=+1]
 include::modules/rosa-aws-provisioned.adoc[leveloffset=+1]
 include::modules/osd-aws-privatelink-firewall-prerequisites.adoc[leveloffset=+1]

Original file line number	Diff line number	Diff line change
`@@ -87,3 +87,4 @@ include::modules/rosa-sts-about-operator-role-prefixes.adoc[leveloffset=+2]`
`87`	`87`
`88`	`88`	`include::modules/rosa-sts-oidc-provider.adoc[leveloffset=+1]`
`89`	`89`	`include::modules/rosa-sts-oidc-provider-command.adoc[leveloffset=+2]`
	`90`	`+include::modules/rosa-aws-scp.adoc[leveloffset=+1]`