Reduce excessive access permissions in AWS

[raywangoctova]

LOE

Medium

Problem Statement

Currently, there is some bloating in our highest levels of access across our most important system -- AWS. We don't have hard and fast rules about who should be in what groups in AWS so we have more users than expected in the AWS Admin and AWS SSM Prod roles.

How might we ensure that we have the correct folks in the correct AWS roles not and moving forward can maintain that.

User Impact

Some people will have less access but the correct level of access for their roles.

Where was this problem reported?

Leadership noticed

What do we not know about the problem space?

We can see who has what access, we know those access levels should be very limited

What (if any) research or discovery has been done?

None Yet but we should consider more consistent use of AWS roles, Individual Users should not be getting individual access assigned, We should also be using temporary AWS credentials to allows permissions escalations when necessary.

What is the acceptance criteria?

• [ ] Criteria for qualifying for AWS admin access is defined
• [ ] OCTO approved Criteria for qualifying for AWS admin access is defined (OCTO MUST CHECK THIS BOX)
• [ ] Criteria for qualifying for AWS SSM Prod access is defined
• [ ] OCTO approved Criteria for qualifying for AWS SSM Prod access is defined(OCTO MUST CHECK THIS BOX)
• [ ] Access has been audited
• [ ] Folks who don't meet the criteria have been moved out the the roles and communicated with about the downgrade in access

How should we measure success?

% reduction in AWS admin access % reduction in AWS SSM Prod access

TODOs

• [ ] Convert this issue to an epic

[little-oddball]

Should have a spike to be more specific about the problem space but more importantly to perform research and thought into a recommended best practice path forward.