Editing IAM Credential Management

== Key Age Recommendations ==

=== Internal ===
* '''Rotation Frequency''': Access keys should be rotated every '''90 days''' or fewer.
* '''Unused Keys''': Disable keys not used for '''30 days'''.
* '''Automation''': Use AWS Lambda and EventBridge to automate key rotation and notify users.

=== External ===
* '''Rotation Frequency''': Access keys for external suppliers should be rotated every '''180 days''' (6 months). This allows suppliers sufficient time to update their scripts and minimize disruptions.
* '''Notifications''': Notify suppliers 30 days before key rotation deadlines and provide clear instructions on updating credentials.
* '''Unused Keys''': Flag keys that have been inactive for '''90 days''' and disable them if not used or updated.

== Supplier Contact Information ==

=== Valentia ===
* '''Company Name''': Valentia Technologies
* '''Primary Contact''': [https://www.valentiatech.com/sectors/primary-care Valentia - Primary care]
* '''Integration Points''': AWS S3 ( kpa-valentia bucket), IAM key, daily delta file transfers.
For more info refer to [[Indici data]]

=== Kotahi (Karo) ===
* '''Company Name''': Karo
* '''Primary Contact ''': [mailto:isabelle@karo.co.nz Isabelle Beaumont]
* '''Integration Points''': The kotahi-writer IAM user is used by Karo to securely upload files to the <code>s3://kpt-kotahi</code> bucket using its access keys.
Refer to [[Kotahi data supply]] for detail

==Key Rotation Process for Valentia==
The following process outlines the proposed steps required to rotate access keys for the Valentia IAM user and ensure seamless data uploads to the <code>s3://kpa-valentia</code> bucket.

For access keys, the rotation process involves creating a new key, securely sharing it with Valentia, and deactivating the old key after confirmation of successful integration. 

In order to ensure a smooth key rotation, the general approach is as follows:
# '''Create a new access key''': A new access key is generated for the '''valentia''' IAM user in the AWS Console or via CLI. The old key remains active during this process to avoid disruptions.
# '''Notify Valentia''': Submit a ticket to Valentia with details of the new Access Key ID and offer to securely share the Secret Access Key. 
# '''Test the new key''': Valentia tests the new key by uploading a test file to the S3 bucket <code>s3://kpa-valentia</code>. Validate the key's activity and confirm successful uploads.
# '''Disable the old key''': Once Valentia confirms the new key is in use and testing is successful, the old key is disabled in the AWS Console or CLI.
# '''Delete the old key''': After a buffer period with no errors in data uploads, the old key is permanently deleted.
# '''Document the process''': Record the key rotation possibly in the audit log(?) and update any relevant documentation.

'''Note''': This process is currently under development and has not yet been executed. Additional refinements or adjustments may be needed once the initial rotation is completed.

== Internal IAM User Automated Access Key Process ==

The following outlines the automated process for rotating access keys for internal IAM users, ensuring compliance with security best practices while minimizing manual intervention.

=== Automated Key Rotation Process ===
# '''Lambda Function''':
#* A <code>access-key-rotation-check</code> Lambda function automatically checks the age of access keys for all internal IAM users.
#* Keys older than 90 days are flagged for rotation.
# '''Key Management''':
#* If a user has:
## '''Two keys''': The oldest key is deleted
## '''One key''': The key is deactivated
# '''Notifications''':
#* The Lambda function sends an email notification to the user stating that the key has been deleted/deactivated
## Access Key ID.
## Secret Access Key.
#* Emails are sent using Amazon SES to ensure secure delivery.
# The process is triggered weekly on Monday using an '''Amazon EventBridge''' schedule.