Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable security login best practices for AWS login #298

Open
ZainRizvi opened this issue Nov 18, 2024 · 4 comments · Fixed by #300
Open

Enable security login best practices for AWS login #298

ZainRizvi opened this issue Nov 18, 2024 · 4 comments · Fixed by #300
Assignees
@zxiiro

Comments

@ZainRizvi
Copy link
Contributor

Problem

Currently the AWS account used by LF has a fixed set of users with permanent access. This poses two challenges:

  1. Any new contributors for the ci-infra need to be explicitly be granted access by someone who is already on the AWS account
  2. That access remains forever, increasing the risk of leaked credentials
  3. That access is too permissive, increasing the potential blast radius of leaked credentials or even accidental changes

Desired solution

We need a way to secure the Linux Foundation AWS account in a way that offers the following features

  • Time limited credentials for partners, ideally making it self-serve or easy to approve
  • Specific roles with set permissions granted
  • Enforcing general AWS account security best practices (e.g. 2FA)

Ideally the credential duration and roles/permissions would be configurable so that they're easy to edit as our needs evolve.
@zxiiro
Copy link
Collaborator

zxiiro commented Nov 18, 2024

2FA is now enforced on all accounts with a change I made a few weeks ago. As long as we use our predefined roles that have the policy to enforce set. I think what we need to do is define some roles we want to support and then apply policies to them that match our definition of those roles.

I'm not sure how to configure time limited credentials in an automated way but until we figure that out maybe we can review the list of folks who have access on a regular basis. Presumably folks who need access would be attending the weekly sync-up meetings. So maybe we can set a policy that says if these folks haven't joined a weekly sync up meeting for x weeks or months then we will disable their IAM account.

@zxiiro zxiiro self-assigned this Nov 18, 2024
@zxiiro
Copy link
Collaborator

zxiiro commented Nov 18, 2024
edited
Loading

@jeanschmidt mentioned on the call we should define a few administrators whom will have access to manage the roles. These folks should come from trusted people on the ci-infra project.

Outside of this we will likely want to grant PowerUser level permissions as the highest permissions for folks who need to get into the system for a limited time as it has less permissions than full on admin.

Folks who need to run Terraform will need Administrator permissions though as Terraform needs fully access to be able to run.

@zxiiro
Copy link
Collaborator

zxiiro commented Nov 19, 2024

Looks like creating access policy based on a time range is possible with AWS IAM https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws-dates.html

zxiiro added a commit that referenced this issue Nov 19, 2024
@zxiiro
Create a Cloud Account access policy for ci-infra
ddde0e6 
The goal of this Pull Request is to create an access policy that the
PyTorch CI Infra team can enforce and grant access to community
contributors whom require access to the PyTorch Foundation's AWS
Account.

Closes: #298
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
@zxiiro zxiiro mentioned this issue Nov 19, 2024
Merged
zxiiro added a commit that referenced this issue Jan 7, 2025
@zxiiro @ZainRizvi
Create a Cloud Account access policy for ci-infra (#300)
57b807d 
The goal of this Pull Request is to create an access policy that the
PyTorch CI Infra team can enforce and grant access to community
contributors whom require access to the PyTorch Foundation's AWS
Account.

Issue: #298
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
Co-authored-by: Zain Rizvi <ZainRizvi@users.noreply.github.com>
@zxiiro
Copy link
Collaborator

zxiiro commented Jan 7, 2025

Merged the document but we still need to actually implement the policies in the document so keeping this issue open.

@zxiiro zxiiro reopened this Jan 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zxiiro zxiiro

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Create a Cloud Account access policy for ci-infra pytorch/ci-infra
2 participants
@zxiiro @ZainRizvi