modernisation-platform
modernisation-platform copied to clipboard
ministryofjustice
SPIKE: How do we ensure access keys are rotated every 90 days or less
User Story
As a security engineer I want to ensure AWS access keys are rotated every 90 days or less To reduce the likelihood that they are exploited
https://docs.google.com/document/d/1ZOrGgOjApNo61SD2WAqAJgQScC7feoqP/edit
User Type(s)
Security engineer
Value
Reduce risk around credentials.
Questions / Assumptions / Hypothesis
This is currently monitored in security hub, but we could add something to security baselines to enforce this. The credentials in the platform now are IAM users, member CI/CD users and the testing user.
Can we implement this through the guidance provided here? https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-rotate-iam-user-access-keys-at-scale-with-aws-organizations-and-aws-secrets-manager.html
Alternatively, is this more appropriate for us? https://aws.amazon.com/blogs/mt/managing-aged-access-keys-through-aws-config-remediations/
Definition of done
- [ ] Spike timeboxed
- [ ] Options discovered
- [ ] Options discussed with team
- [ ] Decision reached
- [ ] Story raised (if appropriate)
Reference
How to write good user stories
This issue is stale because it has been open 90 days with no activity.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I think the need for this will reduce as we increase the use of OICD, but some bespoke additions like SES email users will still be in scope.
This issue is stale because it has been open 90 days with no activity.
Checked, this still needs to be implemented, although access keys for superadmins are deleted they are not for collaborators (only console access)