Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Manage the IAM roles of compliance people #716

Open
pburkholder opened this issue Apr 8, 2020 · 1 comment
Open

Manage the IAM roles of compliance people #716

pburkholder opened this issue Apr 8, 2020 · 1 comment

Comments

@pburkholder
Copy link
Contributor

In order to logically manage the IAM roles of compliance folks we should specify them in TF

Acceptance Criteria

  • [ ]

Security considerations

Yes. This will need careful review
[note any potential changes to security boundaries, practices, documentation, risk that arise directly from this story]

Implementation sketch

  • Create a Compliance group
  • Compliance group should have the following roles
    • AWS managed policy: SupportUser
    • AWS managed policy: SecurityAudit
    • custom policy: ManageMFAandAccessKeys
    • custom policy: AdditionalCGSecurity

The AdditionalCGSecurity policy should include:

        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "logs:Get*",
        "logs:Describe*",
        "sns:Get*",
        "sns:List*"
      ],
      "Effect": "Allow",
      "Resource": "*
  • Add compliance people to that group
  • Remove extraneous policies no longer in use
@pburkholder
Copy link
Contributor Author

Started this because I can't view Cloudwatch Logs. Can be completed down the line.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pburkholder