Skip to content

Commit 2a27b94

Browse files
authored
Merge pull request #23 from ONS-Innovation/credential-refactor-and-key-rotation
KEH 1706 & 1708: Credential Refactor and Key Rotation
2 parents b1fa193 + de8b440 commit 2a27b94

8 files changed

Lines changed: 130 additions & 38 deletions

File tree

.checkov.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,3 +18,12 @@ skip-check:
1818
# It is not needed here since our Lambda functions use container
1919
# images over uploading .zip files for layers.
2020
- CKV_AWS_272
21+
22+
# AWS-managed key encryption is sufficient and CMK not required for this service
23+
- CKV_AWS_149
24+
25+
# IAM user required for local development
26+
- CKV_AWS_273
27+
28+
# Key rotation is already provisioned by external module
29+
- CKV2_AWS_57

.github/pull_request_template.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ Have any new tests been added as part of this issue? If not, try to explain why
1616

1717
- [ ] Yes
1818
- [ ] No
19-
Please write a brief description of why test coverage is not necessary here.
19+
Please write a brief description of why test coverage is not necessary here.
2020
- [ ] Not as part of this ticket. (Could be done at a later point)
2121

2222
### Documentation
@@ -26,7 +26,7 @@ as new code is added, rather than leaving it for the future.
2626

2727
- [ ] Yes
2828
- [ ] No
29-
Please write a brief description of why documentation is not necessary here.
29+
Please write a brief description of why documentation is not necessary here.
3030
- [ ] Not as part of this ticket. (Could be done at a later point)
3131

3232
### Related issues

.trivyignore

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,4 +9,11 @@ AVD-AWS-0017
99
AVD-AWS-0104
1010

1111
# Ignore wildcarded resource in IAM policy
12-
AVD-AWS-0057
12+
AVD-AWS-0057
13+
14+
# MFA enforcement on IAM group is not applicable as group is used for
15+
# programmatic access via access keys, not console login
16+
AVD-AWS-0123
17+
18+
# AWS-managed key encryption is sufficient and CMK not required
19+
AVD-AWS-0098

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -196,7 +196,7 @@ To run the Lambda function outside of a container, we need to execute the `handl
196196
...
197197
```
198198
199-
**Please Note:** If uncommenting the above in `main.py`, make sure you re-comment the code *before* pushing back to GitHub.
199+
**Please Note:** If uncommenting the above in `main.py`, make sure you re-comment the code _before_ pushing back to GitHub.
200200
201201
2. Export the required environment variables:
202202

docs/technical_documentation/configuration.md

Lines changed: 33 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -8,17 +8,17 @@ The `config.json` file contains the following:
88

99
```json
1010
{
11-
"features": {
12-
"show_log_locally": false,
13-
"use_local_config": false
14-
},
15-
"archive_configuration": {
16-
"archive_threshold": 365,
17-
"notification_period": 30,
18-
"notification_issue_tag": "Archive Notice",
19-
"exemption_filename": ["ArchiveExemption.txt", "ArchiveExemption.md"],
20-
"maximum_notifications": 1
21-
}
11+
"features": {
12+
"show_log_locally": false,
13+
"use_local_config": false
14+
},
15+
"archive_configuration": {
16+
"archive_threshold": 365,
17+
"notification_period": 30,
18+
"notification_issue_tag": "Archive Notice",
19+
"exemption_filename": ["ArchiveExemption.txt", "ArchiveExemption.md"],
20+
"maximum_notifications": 1
21+
}
2222
}
2323
```
2424

@@ -76,17 +76,17 @@ When testing locally, you might set the `config.json` file as follows:
7676

7777
```json
7878
{
79-
"features": {
80-
"show_log_locally": true,
81-
"use_local_config": true
82-
},
83-
"archive_configuration": {
84-
"archive_threshold": 365,
85-
"notification_period": 30,
86-
"notification_issue_tag": "Archive Notice",
87-
"exemption_filename": ["ArchiveExemption.txt", "ArchiveExemption.md"],
88-
"maximum_notifications": 0
89-
}
79+
"features": {
80+
"show_log_locally": true,
81+
"use_local_config": true
82+
},
83+
"archive_configuration": {
84+
"archive_threshold": 365,
85+
"notification_period": 30,
86+
"notification_issue_tag": "Archive Notice",
87+
"exemption_filename": ["ArchiveExemption.txt", "ArchiveExemption.md"],
88+
"maximum_notifications": 0
89+
}
9090
}
9191
```
9292

@@ -98,17 +98,17 @@ When deploying to AWS, the `config.json` file should be set as follows:
9898

9999
```json
100100
{
101-
"features": {
102-
"show_log_locally": false,
103-
"use_local_config": false
104-
},
105-
"archive_configuration": {
106-
"archive_threshold": 365,
107-
"notification_period": 30,
108-
"notification_issue_tag": "Archive Notice",
109-
"exemption_filename": ["ArchiveExemption.txt", "ArchiveExemption.md"],
110-
"maximum_notifications": 200
111-
}
101+
"features": {
102+
"show_log_locally": false,
103+
"use_local_config": false
104+
},
105+
"archive_configuration": {
106+
"archive_threshold": 365,
107+
"notification_period": 30,
108+
"notification_issue_tag": "Archive Notice",
109+
"exemption_filename": ["ArchiveExemption.txt", "ArchiveExemption.md"],
110+
"maximum_notifications": 200
111+
}
112112
}
113113
```
114114

kics.config

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,3 +10,9 @@ exclude-queries:
1010

1111
# Sensitive Port Exposed to Private Network (This is fine due to VPC)
1212
- 92fe237e-074c-4262-81a4-2077acb928c1
13+
14+
# AWS-managed key encryption is sufficient and CMK not required for this service
15+
- a2f548f2-188c-4fff-b172-e9a6acb216bd
16+
17+
# Prevent user group no membership false positive
18+
- fc101ca7-c9dd-4198-a1eb-0fbe92e80044

terraform/service/main.tf

Lines changed: 57 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -137,4 +137,60 @@ resource "aws_iam_role_policy_attachment" "eventbridge_policy" {
137137
resource "aws_cloudwatch_log_group" "loggroup" {
138138
name = "/aws/lambda/${aws_lambda_function.lambda_function.function_name}"
139139
retention_in_days = var.log_retention_days
140-
}
140+
}
141+
142+
# IAM User Group
143+
resource "aws_iam_group" "group" {
144+
name = "${var.env_name}-${var.lambda_name}-user-group"
145+
path = "/"
146+
}
147+
148+
resource "aws_iam_group_policy_attachment" "group_vpc_permissions_attachment" {
149+
group = aws_iam_group.group.name
150+
policy_arn = aws_iam_policy.vpc_permissions.arn
151+
}
152+
153+
resource "aws_iam_group_policy_attachment" "group_lambda_logging_attachment" {
154+
group = aws_iam_group.group.name
155+
policy_arn = aws_iam_policy.lambda_logging.arn
156+
}
157+
158+
resource "aws_iam_group_policy_attachment" "group_lambda_s3_policy_attachment" {
159+
group = aws_iam_group.group.name
160+
policy_arn = aws_iam_policy.lambda_s3_policy.arn
161+
}
162+
163+
resource "aws_iam_group_policy_attachment" "group_lambda_secret_manager_policy_attachment" {
164+
group = aws_iam_group.group.name
165+
policy_arn = aws_iam_policy.lambda_secret_manager_policy.arn
166+
}
167+
168+
resource "aws_iam_group_policy_attachment" "group_lambda_eventbridge_policy_attachment" {
169+
group = aws_iam_group.group.name
170+
policy_arn = aws_iam_policy.lambda_eventbridge_policy.arn
171+
}
172+
173+
# IAM User
174+
resource "aws_iam_user" "user" {
175+
name = "${var.env_name}-${var.lambda_name}"
176+
path = "/"
177+
}
178+
179+
# Assign IAM User to group
180+
resource "aws_iam_user_group_membership" "user_group_attach" {
181+
user = aws_iam_user.user.name
182+
183+
groups = [
184+
aws_iam_group.group.name
185+
]
186+
}
187+
188+
# IAM Key Rotation Module
189+
module "iam_key_rotation" {
190+
source = "git::https://github.com/ONS-Innovation/keh-aws-iam-key-rotation.git?ref=v0.1.0"
191+
192+
iam_username = aws_iam_user.user.name
193+
access_key_secret_arn = aws_secretsmanager_secret.access_key.arn
194+
secret_key_secret_arn = aws_secretsmanager_secret.secret_key.arn
195+
rotation_in_days = 90
196+
}

terraform/service/secrets.tf

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
# Secrets for rotated IAM user access keys
2+
resource "aws_secretsmanager_secret" "access_key" {
3+
name = "${var.env_name}-${var.lambda_name}-access-key"
4+
description = "Access Key ID for archive script IAM user"
5+
recovery_window_in_days = 0 // Secret will be deleted immediately
6+
force_overwrite_replica_secret = true // Allow overwriting the secret in case of changes
7+
}
8+
9+
resource "aws_secretsmanager_secret" "secret_key" {
10+
name = "${var.env_name}-${var.lambda_name}-secret-key"
11+
description = "Secret Access Key for archive script IAM user"
12+
recovery_window_in_days = 0 // Secret will be deleted immediately
13+
force_overwrite_replica_secret = true // Allow overwriting the secret in case of changes
14+
}

0 commit comments

Comments
 (0)