- TEA Audit & Tracability
- TEA Data Model Discovery
- TEA Data Model Update
- TEA Data Model Lambda Update
- TEA Integration with CMC
- TEA Integration with HR
- TEA QAR Audit
- TEA Teams Integration Discovery
- Request
- Approve
- Report status with filtering (Open, Account, SSO, Grant, Deny with Date Range filters).
Extended Access & Bulk
- TEA Extended Access Data Model
- TEA Extended Access Request
- TEA Extended Access Approve
- TEA Extended Access Data Model
- TEA Bulk Request
- TEA Bulk Approve
- TEA GovCloud Plan
After Data Modeling update we start fresh by deleting Dynamo old data.
We should have one record in Dynamo per request as discussed about request lifecycle & traceability and making sense of data.
Data Model should have single record per request and update the same record during its lifecycle as:
request, [Expired] [Deny, Grant[, Extensions], Revoke] or in lifecycle form of:
- Request > Expired
- Request > Open
- Request > Deny
- Request > Grant > Revoke
- Request > Grant > Extension > Revoke
Then status should be updated (or we can determine it in reporting ) to know what is the status in each step of request lifecycle.
Request, Expired, Deny, Grant, Extension, Revoke
Note Dates Should be decided to be ISO Datetime in UTC or EST
Data Model is List of Dictionaries.
{
"Events": [
{
"Id": 'Record Unique Index',
"Date": 'Datetime',
"Account": '12 Digits AWS Account ID',
"SSO": 'Requestor SSO',
"RequestId": 'Lambda ID',
"SSP": 'Approver SSO',
"Access": 'Grant, Deny',
"AccessDate": 'Datetime',
"AccessId": 'Lambda ID',
"Extention": [
{ RequestId, Datetime, SSP, Access, AccessDate, AccessId },
{ ... }
],
"Revoke": 'Lambda',
"RevokeDate": 'Datetime',
"RevokeId": 'Lambda ID',
},
{...}
]
}export CMC_KEY="$( cat ../.CMC_KEY )"
export HRUS_KEY="$( cat ../.HRUS_KEY )"
# Lookup Account info
./LookupApi.py --accounts '346071618325,public-cloud-dev,2222'
# TEA Reporting
./audit-dynamodb.py --table-name TempElevatedAccessRequestData --query ssoID=503316567
./audit-dynamodb.py --table-name TempElevatedAccessRequestData --sort createDate --query requestStatus='request created'
Dependencies:
audit-dynamodb.py # should be stripped from other functionalities
DataModel.py # Data Model for TEA - HTTP response code & message should be added
# DataModel
# AccessReview
# DataFilter
# HttpResponse # TODO
DynamoUtil.py # STS & Dynamo Utility
# DynamoUtil
# StsUtil
LookupApi.py # CMC API Lookup for Accounts
util.py # Utility functions & classes