Secure process for AWS and SOCKs access

[andreahewitt-odd]

Currently, SOCKs access relies only on a person being on the VFS or Platform roster. The only prereq for getting on the VFS roster is starting platform orientation. One VFS team had a member start orientation, get on the roster, request SOCKs access and then refuse to be fingerprinted. They wanted to lock down this access and in discussion with Platform leadership, we decided we should standardize how we're doing AWS and SOCKs access.

The solution was to require those requesting access to include a screenshot of their eqip transmittal confirmation (example included in this ticket).

Tasks:

Socks:

• [x] Platform website <- https://depo-platform-documentation.scrollhelp.site/getting-started/accessing-internal-tools-via-socks-proxy
• [x] Update GH issue template
• [x] Internal docs: https://vfs.atlassian.net/wiki/spaces/OT/pages/1792114735?atlOrigin=eyJpIjoiZjM3ODI4NzgwNmE2NDFiMWFmYjA3Yzg4YTgyZjM3MmUiLCJwIjoiY29uZmx1ZW5jZS1jaGF0cy1pbnQifQ

AWS:

• [x] Platform website <- https://depo-platform-documentation.scrollhelp.site/getting-started/request-access-to-tools#Requestaccesstotools-AWSconsoleaccess
• [x] AWS Access Request <- https://github.com/department-of-veterans-affairs/va.gov-team/issues/new/choose
• [x] Internal docs <- https://vfs.atlassian.net/wiki/spaces/OT/pages/1800601685/Approve+AWS+and+vets-api+terminal+access?atlOrigin=eyJpIjoiM2NhMDE0NDA4MDI4NGE3MjhmN2FjZjU2NGNiOTJiNWYiLCJwIjoiY29uZmx1ZW5jZS1jaGF0cy1pbnQifQ
• [x] Add bot to check rosters for AWS (may revisit down the road)

Communication of changes:

• [x] TOTs
• [x] VFS-all-teams
• [x] Platform-change-announcements
• [x] Follow up with Reney and Jennifer who requested the change

[mchelen-gov]

Note: this does not change requirement that all users with AWS or SOCKS access must appear on VFS or Platform roster.

[andreahewitt-odd]

Does not solve the problem that Thomas was trying to solve which is the 3rd voice (Amber confirming eqip date previously)

[andreahewitt-odd]

@little-oddball here's my draft of Comms:

VFS: Hi all! We’re making an adjustment to our process for requesting SOCKS and AWS access. We will now be requiring a screenshot of your E-QIP transmittal date (example below) before we will provision access to either SOCKS or AWS.

We need to ensure that everyone who is given access has been vetted by the government per our security standards. We’ve updated the GH request templates and the Platform Website will be updated in the next deploy on Monday.

Platform:

Hi all! We’re making an adjustment to our process for requesting SOCKS and AWS access. We will now be requiring a screenshot of your E-QIP transmittal date (example below) before we will provision access to either SOCKS or AWS.

We need to ensure that everyone who is given access has been vetted by the government per our security standards. This means that if you are on support or in a position to be granting SOCKS or AWS access, you need to validate that the candidate has provided a screenshot of their E-QIP transmittal before proceeding.

We’ve updated the GH request templates, the Platform Website changes will be published Monday, and our internal documentation.

[andreahewitt-odd]

@jwoodman5 Can you handle announcing the change in TOTs or work with a PM to announce it?

[laineymajor]

This is on TT1's burndown report, but should not be. Just making note as sprint ends today...

[little-oddball]

This is on TT1's burndown report, but should not be. Just making note as sprint ends today...

Bonus for you! :)