The problem: High toil of securing ADO environments 

Access Control (AC) Procedures from HHS OCIO require privileged accounts with elevated access to sensitive systems or data be limited to only the permissions necessary. This is known as Privileged Access Management (PAM) and it is a critical part of access security and advancing Zero Trust maturity. 

Application Development Organizations (ADOs) face an ongoing challenge: securing their AWS environments to meet OCIO guidelines and improve their Zero Trust maturity. Despite existing Kion processes to create custom policies, many ADO teams continue to leverage the "stock" broad, legacy IAM policies provided by CMS Hybrid Cloud (EUA Login required). While convenient, these legacy policies risk exposing sensitive data, over-privileging the majority of cloud users, and hindering zero trust maturity progression. 

Currently at the Centers for Medicare & Medicaid Services (CMS), the manual work of creating and managing fine-grained, least-privilege roles is a major source of friction and toil. It requires teams to have not only the bandwidth but also deep expertise in IAM,  GitOps [1], and Zero Trust principles. 

The Zero Trust team within CMS' Information Security and Privacy Group (ISPG) currently helps system teams improve their Zero Trust maturity by guiding them through the process of manually creating custom, granular roles scoped to specific user groups and services, leveraging pre-built templates and acting as GitOps advisors. While this process is good, it’s still slow and complex. 

The CMS Zero Trust Forge streamlines this process by lowering the time it takes to create new roles, removing common friction points, reducing the probability of errors, and better visualizing access. 

The solution: CMS Zero Trust Forge 

To streamline the existing Privileged Access Management (PAM) approach, the ISPG Zero Trust team is introducing the CMS Zero Trust Forge (cztf.cloud.cms.gov - EUA Login required) as a new tool for ADO use. It is an interactive, React-based, single-page application that automates the creation of standardized Terraform configuration files used in the existing Kion workflow for managing cloud access roles and IAM policies -- both for humans and service accounts! 

This tool provides a streamlined way to create granular roles and permissions, moving ADO teams beyond the initially defined policies in a significantly faster timeline than was previously possible. 

Key features of the CMS Zero Trust Forge 

The Forge directly addresses the pain points of manual PAM implementation with a suite of powerful features: 

• Guided mode: A step-by-step questionnaire that simplifies the creation of roles for human users, service accounts, and deny-only policies, making it accessible to users without deep IAM expertise.
• Quick policy generation: The tool allows users to select from a predefined list of common policy sets, like “default-deny" or “CI/CD deployment service account” to generate standardized IAM policies and reduce policy sprawl quickly.
• Advanced policy builder: A powerful form for creating custom policies by selecting specific AWS services and defining "Allow" and "Deny" actions, a feature recommended by CMS OCIO.
• Import existing policies: The tool can also take existing policies you may be experimenting with to rapidly integrate with Kion’s control plane and source repository.
• Live review and flexible output: Users can instantly review the generated Terraform code in the browser and download all files as a .zip archive.
• Seamless Kion workflow integration: The generator creates the standardized Terraform files used in the existing Kion workflow. These policies are designed to be submitted via pull requests (PRs) for auditability, integrating smoothly with existing GitHub-based workflows. 

The impact: Improved Zero Trust maturity 

The CMS Zero Trust Forge directly supports the PAM initiative's benefits and helps ADOs meet the specific requirements for the semi-annual CMS/HHS data calls. 

• ID-Identity Stores-Developers: The tool helps ADOs achieve an Advanced maturity level in this function by enabling the creation of policies that prevent the manual creation of users in accounts.
• ID-Access Management: The generator facilitates the creation of fine-grained, mission-essential roles, which are key to moving an ADO from an Initial to an Advanced maturity level.
• ID-Governance: The tool's ability to help create and enforce purpose-driven roles for developers that keep human users out of production environments is a direct path to achieving an Advanced maturity score.
• AW-Secure Application Development and Deployment: The tool helps teams reach Advanced maturity by removing developer access to administrative roles in Production environments. 

Call to action 

We encourage all ADO teams to use the CMS Zero Trust Forge to begin their PAM journey and enhance their Zero Trust maturity. Contact the ISPG Zero Trust team for support or if you have questions:

• CMS Slack: #cms-zero-trust
• Email: zerotrust@cms.hhs.gov

Ready to reduce toil and increase your security? Head over to cztf.cloud.cms.gov to get started with the CMS Zero Trust Forge! 

Additional reading 

1. “What is GitOps”, GitLab - https://about.gitlab.com/topics/gitops/
2. “Implementing CMS Zero Trust Privileged Access Management (PAM): Securing our ADO Authentication to align with OCIO”, CMS ISSO Journal #30, Page #13
3. “IAM Roles for Service Accounts: An Aid to Enhancing Zero Trust Maturity in AWS Kubernetes Ecosystems”, CMS ISSO Journal #25, Page #13