NCSC - add alerting when changes are made via the modernisation platform admin account

[SimonPPledger]

User Story

Following on from the NCSC review
AWS accounts hosting the Modernisation Platform are accessed using standard issue MoJ devices. The security posture of these devices was not discussed, however, if these devices render untrusted content through on-device internet browsing or email access, they could be at a higher risk of compromise. Due to this, using a standard issue MoJ device for Administrators and Developers could present an undue risk to the Modernisation Platform and the services it hosts.

Risk: An attacker could gain unauthorised access to code and production environments in the event that an MoJ device accessing these environments is compromised. This could lead to loss or modification of sensitive data and/or unauthorised access to services hosted in the Modernisation Platform.

If someone assumes the administrator role in the modernisation platform account, we alert the team. This can be via the low priority alarms in slack or anything else.

This ticket is to investigate setting up alerting where changes are made via the modernisation platform admin account AND all member accounts

ALSO do it for the root account access, if someone logs in with a root account (assumes the role). Make sure its a higher level alert

Value / Purpose

This is to mitigate the risk highlighted above

Useful Contacts

No response

Additional Information

this is dependant on #7436

Definition of Done

• determine impact on implementing alerting and agree impact is acceptable (eg the level of alerting that would be involved)
• Implement alerting (alerting to slack)

[richgreen-moj]

PR raised to add new alarm for admin role usage ministryofjustice/modernisation-platform-terraform-baselines#580

[richgreen-moj]

@SimonPPledger @ewastempel @davidkelliott - This ticket mentions adding a high priority alert for root account usage. Do you think we need this as we have another mitigation in place i.e. service control policies?

https://github.com/ministryofjustice/aws-root-account/blob/main/management-account/terraform/organizations-policy-service-control.tf#L36-L79
^^ This ensures that no-one logged in as root can take any actions within the P&A organisation Unit (So all MP accounts)

An example where we have to overcome this is on account deletion where we have to ask a limited set of users to move the account to the root OU so we can log in as root to delete the account.

[richgreen-moj]

Agreed to close this ticket down based on the changes already made (i.e. the alerting for admin role usage).

Two follow-up tickets have been drafted to look in to root user monitoring and a general ticket on management of the root account/codebase...

Monitor root user activity in MP accounts #7825

Investigate management/monitoring of root account/codebase #7824

[ASTRobinson]

ticket reviewed, moving to done as completed as per above comments.