Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use narrower role(s) than Shared Services "provision account" #133

Open
2 tasks
dav3r opened this issue Aug 17, 2021 · 0 comments
Open
2 tasks

Use narrower role(s) than Shared Services "provision account" #133

dav3r opened this issue Aug 17, 2021 · 0 comments
Labels
improvement This issue or pull request will add or improve functionality, maintainability, or ease of use

Comments

@dav3r
Copy link
Member

dav3r commented Aug 17, 2021

💡 Summary

Use a narrower role (or roles) than the Shared Services "provision account" role.

Motivation and context

We currently use a provider based on the very powerful "provision account" role in the Shared Services account to provision assessment environments. To reduce risk, a narrower, more tailored role (or roles) should be created with only the permissions necessary to accomplish the goal.

Implementation notes

Note that we currently have two providers based on the same Shared Services role- this duplication should be eliminated:

Acceptance criteria

  • A less-powerful role (or roles) is used to manipulate resources in the Shared Services account.
  • Assessment environments can still be successfully created, updated, and destroyed.
@dav3r dav3r added the improvement This issue or pull request will add or improve functionality, maintainability, or ease of use label Aug 17, 2021
dav3r added a commit to cisagov/cool-assessment-provisioner-iam that referenced this issue Aug 18, 2021
@dav3r
Add locals for required_non_assessment_roles and prohibited_non_asses…
c9c263d 
…sment_provision_roles

Also add a TODO to determine if it is possible/worthwhile to replace any 
non-assessment "provision account" roles with something less powerful.  
New roles would need to be created in appropriate repositories, then 
used in cisagov/cool-assessment-terraform and here.  See 
cisagov/cool-assessment-terraform#133.
cisagovbot pushed a commit that referenced this issue Jul 13, 2023
@mcdonnnj
Merge pull request #133 from cisagov/add-go-hooks
bd762fe 
Add Go hooks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
improvement This issue or pull request will add or improve functionality, maintainability, or ease of use
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dav3r