You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In almost every case, we would like the access to the AWS S3 Buckets from the Agency IPs or from cloud.gov IPs. A gap in security here is that developers who leave organizations would still have access to the AWS S3 buckets from home or other places. Its not easy to guarantee the keys to be rotated on time espacially when the develoeprs have access to all keys in the space. One possible implementation - while provisioning an AWS S3 service, IP ranges can be passed as a parameter to restrict access to agency IPs. If possible, this should be done to public AWS S3 as well to prevent anyone from logging in and wiping contents (example of this is our website).
Acceptance Criteria
WHEN provisioning a new AWS S3 service
THEN allow Agency IP addresses to be passed to restrict access
AND when service keys are created OR application is bound to service, resulting access keys can be usable only from Agency IPs and cloud.gov IPs
Security considerations
[note any potential changes to security boundaries, practices, documentation, risk that arise directly from this story]
Implementation sketch
[links to background notes, sketches, and/or relevant documentation
[first thing to do]
[another thing to do]
The text was updated successfully, but these errors were encountered:
(This originally came in as cloud-gov/aws-broker#93)
In almost every case, we would like the access to the AWS S3 Buckets from the Agency IPs or from cloud.gov IPs. A gap in security here is that developers who leave organizations would still have access to the AWS S3 buckets from home or other places. Its not easy to guarantee the keys to be rotated on time espacially when the develoeprs have access to all keys in the space. One possible implementation - while provisioning an AWS S3 service, IP ranges can be passed as a parameter to restrict access to agency IPs. If possible, this should be done to public AWS S3 as well to prevent anyone from logging in and wiping contents (example of this is our website).
Acceptance Criteria
WHEN provisioning a new AWS S3 service
THEN allow Agency IP addresses to be passed to restrict access
AND when service keys are created OR application is bound to service, resulting access keys can be usable only from Agency IPs and cloud.gov IPs
Security considerations
[note any potential changes to security boundaries, practices, documentation, risk that arise directly from this story]
Implementation sketch
[links to background notes, sketches, and/or relevant documentation
[first thing to do]
[another thing to do]
The text was updated successfully, but these errors were encountered: