github-actions[bot]
commented
1 month ago This issue is stale because it has been open 90 days with no activity.
Closed sukeshreddyg closed 3 hours ago
github-actions[bot]
commented
1 month ago This issue is stale because it has been open 90 days with no activity.
Khatraf
commented
6 days ago 
richgreen-moj
commented
3 hours ago Ticket reviewed. The DoD is complete. Looks good to me - we now have stricter permissions on the use of kms:CreateGrant.
Nice work @Khatraf 👍
User Story
As a Modernisation Platform engineer I want to investigate potential security risks associated with granting the kms:CreateGrant permission to the GitHub OIDC role. Additionally, I aim to explore the feasibility of adding conditions to restrict the usage of this permission to prevent unauthorized granting of keys to users and roles.
Value / Purpose
The purpose of this issue is to ensure security of our key management system by thoroughly assessing the risks introduced by granting the
kms:CreateGrantpermission. By implementing appropriate safeguards, we aim to mitigate the risk of unauthorized access to keys.Useful Contacts
No response
Additional Information
This permission,
kms:CreateGrant, is required for the purpose of copying snapshotsProposal / Unknowns
Hypothesis If we... [do a thing] Then... [this will happ]
Proposal A proposal that is something testable, don't worry whether it works or not, it's a place for ideas.
Unknowns Potential pitfalls that could cause the story to expand beyond its original scope. Ideally this section will remain blank.
Definition of Done