Currently, when we grant AWS privileges for a limited duration, we must remember to sunset those and then actually manually sunset them at the expiration date. To do the remembering we use a variety of brittle mechanisms, such as calendar reminders in the calendar of the person assigning the permissions originally, a slack reminder, etc... Fundamentally, we rely on a human acting on the reminder, at the right time, with the right actions. Failure to sunset these privileges leads to identities having lingering privileges they no longer need, desire, or should have.
This is a brittle situation to be in and we need a more automatic way of expiring fine-grained privileges that requires no human intervention (and thus eliminated the probability of the human forgetting to do it for whichever reason).
There are a couple of things we could do, ranging from having a bot that scans for items to expire (while being mindful not to lock everyone one; using a "mark, notify, eliminate"-methodology) or using a declarative mechanism that automatically kicks in at the time of permission evaluation (so that the privilege may still be there, is is just no longer effective).
Tasks
[ ] Discovery on feasible approaches
[ ] Select and Implement approach
[ ] Trial approach on subset of human identities to proof it
[ ] Roll out the implementation to be applicable to all human identities
Acceptance Criteria
[ ] For time-bound privileges, those that sunset at a point in time, no human interaction is involved in revoking the privileges and the system takes care of those automatically.
[ ] Time-bound privileges are defined in a declarative fashion in the IaC
Reminders
[ ] Please attach your team label and any other appropriate label(s) (operations, devops, and needs-grooming will automatically be applied as part of the template)
[ ] Please connect to an epic (this will typically be done by the Platform Operations PM or TL)
Who is the devops resource on your team?
N/A
Description
Currently, when we grant AWS privileges for a limited duration, we must remember to sunset those and then actually manually sunset them at the expiration date. To do the remembering we use a variety of brittle mechanisms, such as calendar reminders in the calendar of the person assigning the permissions originally, a slack reminder, etc... Fundamentally, we rely on a human acting on the reminder, at the right time, with the right actions. Failure to sunset these privileges leads to identities having lingering privileges they no longer need, desire, or should have.
This is a brittle situation to be in and we need a more automatic way of expiring fine-grained privileges that requires no human intervention (and thus eliminated the probability of the human forgetting to do it for whichever reason).
Background/context
Additional background can be found here: https://github.com/department-of-veterans-affairs/va.gov-team/issues/42776#issuecomment-1167384033
Technical notes
There are a couple of things we could do, ranging from having a bot that scans for items to expire (while being mindful not to lock everyone one; using a "mark, notify, eliminate"-methodology) or using a declarative mechanism that automatically kicks in at the time of permission evaluation (so that the privilege may still be there, is is just no longer effective).
Tasks
Acceptance Criteria
Reminders