Cloud Foundry user and role accounts are managed and maintained through the Cloud Controller. Cloud Foundry uses role-based access control with each role granting permissions in either an organization or an application space. The Following types are used:
- Org Manager
- Org Auditor
- Space Manager
- Space Developer
- Space Auditor
- Cloud Controller - Cloud Controller Role Documentation
- Cloud Controller - Cloud Controller Role Implmentation
- Cloud Controller - Cloud Controller Role Implmentation Specs
User accounts will be monitored monthly and accounts will be disabled after 90 days of inactivity; this will be a manual review process every 30 days. 18F is in the process of automating this account management process through the use of implementing AWS OSQuery to trigger alerts when user accounts are inactive of a 90-day period.
The UAA API interface is used to monitor privileged/non privileged user accounts within the cloud.gov It lists Cloud Foundry instance users. By default it returns information about each user account including GUID, name, permission groups, activity status, and metadata.
18F uses the ELK stack to provide a visual way to monitor all user and system accounts within cloud.gov by interfacing with cloud.gov API calls to its internal system components (i.e. Loggregator, Cloud Controller, DEA, Warden, Metrics Collector)
Identity and Access Management
AWS accounts are managed through AWS Identity and Access Management (IAM). Only users with a need to operate the AWS management console are provided individual AWS user accounts. The following types are used:
- User- Individual IAM accounts
- System- system and application account not used for interactive access There are no guest/anonymous, groups, or temporary user accounts in the organization's environment
The organization does not allow shared/group account credentials within the AWS environment. All users have individual accounts to access the AWS environment. The organization has created specific policies that allow individual users to assume a role within the AWS environment.
Access Control Policies for 18F
The 18F Program identifies and selects the following types of information system accounts to support organizational missions/business functions:
18F has established designated DevOps personnel as the assigned account managers for all information system accounts relating to the infrastructure and the cloud.gov platform. System Owners, whose web applications and/or websites reside on the cloud.gov platform, have the responsibility to assign an account manager for their information systems.
18F establishes conditions for group and role membership within the cloud.gov platform and its virtual environment. Conditions for groups and roles membership are based on an established need to manage and access the virtual infrastructure and cloud.gov environments. The user must meet the following conditions in order for the System Owner / Project Manager to approve a group membership request:
- The user’s assigned role is required to access a particular group.
- The user has the requirements and understanding to assume permissions associated with the group.
- The user has completed the security role-based training.
- The user complies with any other group-specific conditions created by the system owner. Once conditions have been met, the System Owner / Project Manager will request access within GitHub, 18F’s tracking and ticketing system. Once approved, the 18F DevOps group completes the request for group and role membership within its infrastructure and cloud.gov platform.
The 18F Program Office specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account. System Owners / Project Managers provide the details of what type of access is needed for an authorized authorized user. All accounts will be documented within their respective information systems, detailing their group and role membership, and access authorizations. This documentation will be exported by DevOps and archived for up to a year from the date of account creation by the managing 18F project lead and cloud.gov Technical Point of Contact (Operating Environment) in accordance with best business and security practices.
18F requires approvals by the project lead and system owners for requests to create information system accounts. All accounts will be documented within the GitHub ticketing and tracking system with their respective information systems, detailing their group, role membership, and access authorizations.
User account establishment, activation, modification, disablement or removal requires approval by the managing \ project lead and cloud.gov Information System Technical Point of Contact. Accounts will be created, enabled, modified, disabled, and removed from AWS in accordance with 18F policies, guidelines and established by the project lead and DevOps.
18F monitors the use of all information system accounts within its environment.
18F notifies its DevOps account managers when accounts are no longer required, users are terminated or transferred, and when individual’s information system usage or need-to-know changes within the cloud.gov platform and virtual private cloud infrastructure. The Project Manager or Information System Owner will be notified when accounts have been terminated, disabled or transferred based on the access request submitted via GitHub. Notification will be sent via email or the GitHub ticketing and tracking system when changes to user and system access occur.
18F authorizes access to its information systems based on a valid access authorization from System Owners and DevOps, intended system usage within the network environment, and other attributes as required by the organization or associated missions/business functions. This is documented within section 3 of the 18F Access Control Policy: Access Management. User and system access is provided only to those with an established need to access and manage the virtual private cloud and cloud.gov environments.
- User group membership is restricted to the least privilege necessary for the user to accomplish their assigned duties.
- All user accounts are issued only to those who have gained approval by 18F DevOps.
Once approved, the DevOps team creates the user account and adds it to the appropriate role and organization
within its information systems.
18F grants access to the information system
- A valid need-to-know/need-to-share that is determined by assigned official duties and satisfying all personnel security criteria.
- Intended system usage. 18F requires proper identification for requests to establish information system accounts, and it approves all such requests based on organizational or mission/business function attributes.
18F reviews user and system accounts for compliance with account management requirements at least on an annual basis. \ Currently, system and user accounts are being monitored manually on a monthly basis and programmatically on a continuous basis.
18F establishes a process for reissuing shared/group account credentials when individuals are removed from the group. 18F uses its GitHub tracking and ticketing system for requests to reissue and remove individuals from group memberships within its environment.
User Account and Authentication (UAA) Server
User accounts will be monitored monthly and accounts will be disabled after 90 days of inactivity; this will be a manual review process every 30 days, but the disablement will be automatic. A manual review of all user accounts will be conducted on an annual basis
Cloud Foundry utilizes role based access controls (RBAC) for group membership within the platform and does not issue shared/group account credentials.