IAM Credential Management
Key Age Recommendations[edit | edit source]
Internal[edit | edit source]
- Rotation Frequency: Access keys should be rotated every 90 days or fewer.
- Unused Keys: Disable keys not used for 30 days.
- Automation: Use AWS Lambda and EventBridge to automate key rotation and notify users.
External[edit | edit source]
- Rotation Frequency: Access keys for external suppliers should be rotated every 180 days (6 months). This allows suppliers sufficient time to update their scripts and minimize disruptions.
- Notifications: Notify suppliers 30 days before key rotation deadlines and provide clear instructions on updating credentials.
- Unused Keys: Flag keys that have been inactive for 90 days and disable them if not used or updated.
Supplier Contact Information[edit | edit source]
Valentia[edit | edit source]
- Company Name: Valentia Technologies
- Primary Contact: Valentia - Primary care
- Integration Points: AWS S3 ( kpa-valentia bucket), IAM key, daily delta file transfers.
For more info refer to Indici data
Kotahi (Karo)[edit | edit source]
- Company Name: Karo
- Primary Contact : Isabelle Beaumont
- Integration Points: The kotahi-writer IAM user is used by Karo to securely upload files to the
s3://kpt-kotahibucket using its access keys.
Refer to Kotahi data supply for detail
Key Rotation Process for Valentia[edit | edit source]
The following process outlines the proposed steps required to rotate access keys for the Valentia IAM user and ensure seamless data uploads to the s3://kpa-valentia bucket.
For access keys, the rotation process involves creating a new key, securely sharing it with Valentia, and deactivating the old key after confirmation of successful integration.
In order to ensure a smooth key rotation, the general approach is as follows:
- Create a new access key: A new access key is generated for the valentia IAM user in the AWS Console or via CLI. The old key remains active during this process to avoid disruptions.
- Notify Valentia: Submit a ticket to Valentia with details of the new Access Key ID and offer to securely share the Secret Access Key.
- Test the new key: Valentia tests the new key by uploading a test file to the S3 bucket
s3://kpa-valentia. Validate the key's activity and confirm successful uploads. - Disable the old key: Once Valentia confirms the new key is in use and testing is successful, the old key is disabled in the AWS Console or CLI.
- Delete the old key: After a buffer period with no errors in data uploads, the old key is permanently deleted.
- Document the process: Record the key rotation possibly in the audit log(?) and update any relevant documentation.
Note: This process is currently under development and has not yet been executed. Additional refinements or adjustments may be needed once the initial rotation is completed.
Internal IAM User Automated Access Key Process[edit | edit source]
The following outlines the automated process for rotating access keys for internal IAM users, ensuring compliance with security best practices while minimizing manual intervention.
Automated Key Rotation Process[edit | edit source]
- Lambda Function:
- A
access-key-rotation-checkLambda function automatically checks the age of access keys for all internal IAM users. - Keys older than 90 days are flagged for rotation.
- A
- Key Management:
- If a user has:
- Two keys: The oldest key is deleted
- One key: The key is deactivated
- Notifications:
- The Lambda function sends an email notification to the user stating that the key has been deleted/deactivated
- Access Key ID.
- Secret Access Key.
- Emails are sent using Amazon SES to ensure secure delivery.
- The process is triggered weekly on Monday using an Amazon EventBridge schedule.