search

ministryofjustice / modernisation-platform

A place for the core work of the Modernisation Platform • This repository is defined and managed in Terraform
https://user-guide.modernisation-platform.service.justice.gov.uk
MIT License
680 stars 290 forks source link

SPIKE: How do we ensure access keys are rotated every 90 days or less #3205

Closed davidkelliott closed 2 weeks ago

davidkelliott commented 1 year ago

User Story

As a security engineer I want to ensure AWS access keys are rotated every 90 days or less To reduce the likelihood that they are exploited

https://docs.google.com/document/d/1ZOrGgOjApNo61SD2WAqAJgQScC7feoqP/edit

User Type(s)

Security engineer

Value

Reduce risk around credentials.

Questions / Assumptions / Hypothesis

This is currently monitored in security hub, but we could add something to security baselines to enforce this. The credentials in the platform now are IAM users, member CI/CD users and the testing user.

Can we implement this through the guidance provided here? https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-rotate-iam-user-access-keys-at-scale-with-aws-organizations-and-aws-secrets-manager.html

Alternatively, is this more appropriate for us? https://aws.amazon.com/blogs/mt/managing-aged-access-keys-through-aws-config-remediations/

Definition of done

Reference

How to write good user stories

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 90 days with no activity.

SimonPPledger commented 1 year ago

@dms1981 to refine

dms1981 commented 1 year ago

I think the need for this will reduce as we increase the use of OICD, but some bespoke additions like SES email users will still be in scope.

github-actions[bot] commented 9 months ago

This issue is stale because it has been open 90 days with no activity.

davidkelliott commented 2 months ago

Checked, this still needs to be implemented, although access keys for superadmins are deleted they are not for collaborators (only console access)

ep-93 commented 3 weeks ago

https://docs.google.com/document/d/1OU4mwCVqUFN-MwHeDXCaxc17I3ytOVWDFfG3IOEEpZg/edit?usp=sharing

dms1981 commented 3 weeks ago

From what I can tell there isn't a solid conclusion from the linked document. I couldn't see any evidence of a discussion with the team in Slack, nor does this issue have any comments on outcomes or related stories for implementation.

ep-93 commented 2 weeks ago

So a conclusion has been added, I didn't want to assume route 1 2 or 3 without a team discussion, and I was off sick before that could happen. Hoping after stand up today there is time, and then I can edit the conclusion if needed and create a ticket from what is agreed.

ep-93 commented 2 weeks ago

Its actually already done here - https://github.com/ministryofjustice/modernisation-platform/blob/main/scripts/iam-monitoring/collaborators-inactivity-monitoring/disable_user_credentials.sh