Review Privileged Accounts

[yaelberger-commits]

Acceptance Criteria

• [x] Spreadsheet for audit trail

[yaelberger-commits]

Not needed if we do proper offboarding We did this once, and that should be enough if we are diligent about offboarding

[jimleroyer]

The updated spreadsheet meant for audits: https://docs.google.com/spreadsheets/d/1nqRmotJvNY_ftNwr5R7_tk2HKrveNRBA-R77kNTU-FM

[jimleroyer]

@yaelberger-commits Can you QA check if the spreadsheet would be sufficient for our purposes please? 🙏

[yaelberger-commits]

QAing! Thanks for flagging @jimleroyer

[yaelberger-commits]

I think we need to add to this spreadsheet all of the current privileged accounts that already exist as well, otherwise how can we review them? Unless there is already another way to review?

[jimleroyer]

I added another tab in the spreadsheet for that but didn't add so far the current accounts. I wondered if we wanted to take timestamp snapshots of these or just have the current list of admins? I assume the latter?

[yaelberger-commits]

Yael and Jimmy to sync

[yaelberger-commits]

@jimleroyer the new sheets are great. I will add one for AWS admin as well and we can fill that out too

[jimleroyer]

@yaelberger-commits The AWS admins are not up to us though. We can fill something but we'd need the SRE team to maintain it for us.

CC @patheard is there any document for AWS admins?

[patheard]

We don't have a doc for it, but I've filled in that section of the spreadsheet based on the current access. Going forward, when you need to change someone's access (grant/revoke) you can create an AWS account access issue in the SRE repo.

If you wanted, you could link to the issue in the spreadsheet to give more context as to why a user had specific AWS admin access (here's the one we did for Andrew when he joined cds-snc/site-reliability-engineering#462).