Enable security login best practices for AWS login

[ZainRizvi]

Problem

Currently the AWS account used by LF has a fixed set of users with permanent access. This poses two challenges:

1. Any new contributors for the ci-infra need to be explicitly be granted access by someone who is already on the AWS account
2. That access remains forever, increasing the risk of leaked credentials
3. That access is too permissive, increasing the potential blast radius of leaked credentials or even accidental changes

Desired solution

We need a way to secure the Linux Foundation AWS account in a way that offers the following features

• Time limited credentials for partners, ideally making it self-serve or easy to approve
• Specific roles with set permissions granted
• Enforcing general AWS account security best practices (e.g. 2FA)

Ideally the credential duration and roles/permissions would be configurable so that they're easy to edit as our needs evolve.

[zxiiro]

2FA is now enforced on all accounts with a change I made a few weeks ago. As long as we use our predefined roles that have the policy to enforce set. I think what we need to do is define some roles we want to support and then apply policies to them that match our definition of those roles.

I'm not sure how to configure time limited credentials in an automated way but until we figure that out maybe we can review the list of folks who have access on a regular basis. Presumably folks who need access would be attending the weekly sync-up meetings. So maybe we can set a policy that says if these folks haven't joined a weekly sync up meeting for x weeks or months then we will disable their IAM account.

[zxiiro]

@jeanschmidt mentioned on the call we should define a few administrators whom will have access to manage the roles. These folks should come from trusted people on the ci-infra project.

Outside of this we will likely want to grant PowerUser level permissions as the highest permissions for folks who need to get into the system for a limited time as it has less permissions than full on admin.

Folks who need to run Terraform will need Administrator permissions though as Terraform needs fully access to be able to run.

[zxiiro]

Looks like creating access policy based on a time range is possible with AWS IAM https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws-dates.html

[zxiiro]

Merged the document but we still need to actually implement the policies in the document so keeping this issue open.

[SamuelN-CyberSec]

You are describing a classic problem: permanent users with overly broad access that grows stale over time. Migrate to AWS IAM Identity Center (formerly SSO) with permission sets scoped to specific roles, then enforce short-lived credentials via CLI with aws login—this eliminates permanent keys and lets you grant/revoke access centrally through group membership. I actually wrote an Implementation Playbook that maps out this migration from static IAM users to SSO with least-privileged permission sets, including the Terraform pattern for managing it all: https://wokemodo.gumroad.com/l/jszcx

[zxiiro]

This is implemented already we're using LFID SSO at this point with user selectable roles allowing them to choose the least privileges they need. Closing this out.