Identity and Access Management (IAM)

Public Oath

Fluid Attacks will look for an Identity and Access Management (IAM) architecture that properly balances security and user comfort.

We will constantly look for better ways of centralizing credentials and access to all of our stack.

Architecture

---

1. We use Okta as our main IAM provider.
2. It is accessible via fluidattacks.okta.com
3. It is managed as code using Terraform. Below is a comprehensive list:
   • Applications
   • Groups
   • Users
   • SAML integration with AWS
   • Organization settings
   • Passphrases and MFA policies
4. Applications, groups and users are stored in encrypted YAML files using Mozilla SOPS as they contain sensitive data like application passphrases and staff personal information.
5. Applications are third party solutions used by Fluid Attacks.
6. Groups are Fluid Attacks’ departments.
7. Users are Fluid Attacks’ staff.
8. Users and applications belong to groups. Meaning that when a user belongs to a group, she can access all applications that belong to that same group.
9. Policies are enforced for all staff.
10. Developers can assume AWS roles by authenticating to Okta via aws-okta-processor.

Contributing

Please read the contributing page first.

Recommendations

1. Avoid assigning apps directly to users as much as you can, this makes permissions management complexity to exponentially increase.
2. The less groups you have, the better. Try to make everyone fit in a small set of groups, this will simplify permissions management.
3. If you’re testing an app and auto-assign it, remember to remove yourself after testing is complete.
4. Follow conventions:
   1. id’s for all entities should only be composed of: a-z and _.
   2. If the same app exists for two or more companies, use: <APP> - <COMPANY>.
   3. If the same app exists for two or more users, use <APP> - <USER>.
   4. If the same app exists for two or more companies and users, use <APP> - <COMPANY> - <USER>.

Special considerations or future improvements

• Work on decreasing api calls in order to avoid hitting API rate limits: https://github.com/okta/terraform-provider-okta/issues/186
• RADIUS applications are not supported, they are being managed manually: https://github.com/okta/terraform-provider-okta/issues/475
• Auto Login apps do not support app link configurations, they are being managed manually: https://github.com/okta/terraform-provider-okta/issues/608
• AWS apps need some manual configuration after creation: https://support.okta.com/help/s/question/0D54z00006w0REiCAM/aws-account-federation-via-api?language=en_US