Skip to content

Users

Public Oath

Fluid Attacks will look for an authorization architecture that properly balances access control, maintainability and comfort.

We will constantly look for better ways of securing access to our Cloud.

Architecture

Architecture-light Architecture-dark
  1. The users component of common owns the authentication and authorization logic for AWS and Cloudflare.
  2. It is managed as code using Terraform.
  3. There are three types of AWS roles:
    • Development: An IAM role called dev.
    • Production: An IAM role for each main component (e.g integrates_prod). prod_common role is the super-admin role.
    • External users: There is one external user as part of our subscription with Clouxter called erika.bayona.
  4. Each role has an associated KMS key.
  5. Developers can assume roles by authenticating via aws-okta-processor. They must have proper access on Okta to assume certain roles like prod_common.
  6. KMS keys are used for encrypting and decrypting secrets using Mozilla SOPS.
    • The prod_common role can access all KMS keys.
    • All prod_* roles can access both their own KMS key and dev.
    • The dev role can only access the dev KMS key.
  7. Components that require it also have their own Cloudflare API tokens that allow them to perform actions like writing cache, dns and page rules.

Contributing

Please read the contributing page first.