va-vsp-bot
commented
1 year ago This issue is stale. If it is no longer valid, please close issue. Otherwise please update
Open td-usds opened 1 year ago
va-vsp-bot
commented
1 year ago This issue is stale. If it is no longer valid, please close issue. Otherwise please update
Who is the devops resource on your team?
N/A
Description
Currently, when we grant AWS privileges for a limited duration, we must remember to sunset those and then actually manually sunset them at the expiration date. To do the remembering we use a variety of brittle mechanisms, such as calendar reminders in the calendar of the person assigning the permissions originally, a slack reminder, etc... Fundamentally, we rely on a human acting on the reminder, at the right time, with the right actions. Failure to sunset these privileges leads to identities having lingering privileges they no longer need, desire, or should have.
This is a brittle situation to be in and we need a more automatic way of expiring fine-grained privileges that requires no human intervention (and thus eliminated the probability of the human forgetting to do it for whichever reason).
Background/context
Additional background can be found here: https://github.com/department-of-veterans-affairs/va.gov-team/issues/42776#issuecomment-1167384033
Technical notes
There are a couple of things we could do, ranging from having a bot that scans for items to expire (while being mindful not to lock everyone one; using a "mark, notify, eliminate"-methodology) or using a declarative mechanism that automatically kicks in at the time of permission evaluation (so that the privilege may still be there, is is just no longer effective).
Tasks
Acceptance Criteria
Reminders