NGAP has proposed to EMCC that the two Central Billing Accounts (CBA) for EDC and CSDA be integrated into the the ESDIS instance of Kion (cloud.earthdata.nasa.gov). The aim is to streamline management, monitoring, and control of AWS resources and usage. This integration may raise concerns for the Finance and Security & Compliance teams. The mitigation for the issues that are anticipated are dealt with below.
Stakeholder Concerns and Risk Mitigation
1. Finance Team
Concerns: There will be an added complexity of managing and monitoring an additional CBA. The Finance Team will also now monitor funding, and budgeting for the CBA accounts.
Mitigation Steps:
Robust Financial Management: Cloudtamer.io offers robust financial management features that provide visibility and control over cloud spending. It will provide the Finance team with tools for budget enforcement, notifications, and comprehensive reporting across both CBAs.
Automated Budgeting and Reporting: We propose the implementation of automated budgeting and reporting tools in Cloudtamer.io. This would significantly reduce the manual workload on the Finance team and improve the accuracy of financial forecasting.
2. Security and Compliance Team
Concerns: The Security and Compliance team might be concerned about the security risks of integrating CBAs, considering that they are root accounts with high-level permissions. The primary concern is the potential for increased exposure and risk, especially if inadvertent errors occur.
Mitigation Steps:
Role-based Access Control (RBAC): We will implement RBAC, limiting access to the CBAs only to those roles that require it, such as certain administrative roles. This will minimize the potential for errors and reduce the exposure of the CBAs. Programmatic and console acess would be limited to the following:
- Civil servant delegated by ESDIS management.
- Select EED Program lead(s).
- cloudtamer-service-role.
- ngap-infrastructure-automation role
Principle of Least Privilege (PoLP): We will abide by the principle of least privilege, ensuring users and roles only have the minimum required permissions. This would limit potential damage should a security breach occur.
Multi-Factor Authentication (MFA): We will enforce MFA for users with access to the CBAs. This adds an extra security layer, making it harder for unauthorized users to gain access.
Activity Logging and Auditing: We will leverage AWS CloudTrail and Cloudtamer.io’s activity logs to track actions performed in the CBAs. Regular reviews of these logs will ensure we can promptly identify and address any suspicious activities.
To further mitigate risks, we propose the creation of new roles and permissions, tailored for the management teams:
CBA Management Role: This role will have full access to manage and control the CBAs in Cloudtamer.io. This would be assigned to the EED Program lead(s).
CBA Monitoring Role: This role will be given read-only access to the CBAs for monitoring purposes. The Security and Compliance team and selected members of the Finance team will be assigned this role.
CBA Reporting Role: This role will have permission to generate and access financial and usage reports. Most members of the Finance team will be assigned this role.
