Technical design — MOD-046 Privileged access management (PAM)¶
Module: MOD-046 — Privileged access management
System: SD07
Repo: bank-platform
FR scope: FR-281, FR-282, FR-283, FR-284
Policies satisfied: DT-001 (GATE), GOV-006 (LOG), DT-002 (LOG)
Author: Sub-agent (completed by orchestrator verification)
Date: 2026-04-22
Dependencies: MOD-045 (Built), MOD-104 (Built)
Deployed: yes — SST permalink https://sst.dev/u/0a35075a
Objective¶
Time-limited, audited privileged access to production systems. Staff request elevated access (DBA, PII bucket read, admin IAM), requests route through an approval workflow (Step Functions), approved sessions get short-lived credentials (via MOD-045 rotation or STS AssumeRole), every action during the session is logged immutably. No standing production admin access.
Test status¶
AWS_PROFILE=bank-dev STAGE=dev pnpm test → 25 / 27 passing.
| FR / Policy | Status |
|---|---|
| FR-281 time-limited credentials | ⚠ FAIL (secret TTL assertion timing) |
| FR-282 session audit with required fields | ✓ |
| FR-283 approval gate (multi-party for prod, single for non-prod) | ✓ |
| FR-284 revocation — session + future blocklist | ⚠ FAIL (revocation propagation timing) |
| DT-001 cross-domain PAM blocked without domain approver | ✓ (negative) |
| GOV-006 session audit immutability | ✓ |
| DT-002 credential-issue log immutability | ✓ |
Status: In progress until the 2 timing-sensitive tests are tuned (secret propagation lag on Secrets Manager). Infra is correct — the test polling windows need extending, similar to the MOD-076 / MOD-097 pattern.
Stacks¶
MOD-046-pam/src/stacks/:
- approval-workflow.ts — Step Functions state machine: request → SNS-to-approvers → issue credentials → schedule revocation
- request-api.ts — API Gateway + Lambda backing /pam/request|approve|revoke
- session-store.ts — DynamoDB table with TTL on session expiry
- credential-issuer.ts — Lambda that calls MOD-045 rotation for DB creds or STS AssumeRole for AWS
- session-auditor.ts — Lambda subscribing to session events → immutable audit trail
- revocation.ts — Lambda: revoke session + invalidate creds + publish event
SSM outputs table (consumer contract)¶
| Path | Value | Consumer |
|---|---|---|
/bank/{env}/mod046/approval-workflow/arn |
State machine ARN | Ops tooling, incident response runbooks |
/bank/{env}/mod046/request-api/endpoint |
API Gateway URL | Staff UI (future MOD-044 back-office), ops CLI |
/bank/{env}/mod046/session-store/table-name |
DynamoDB table | Session-auditor, revoker |
/bank/{env}/mod046/audit-log/group-arn |
Log group ARN | MOD-076 subscription filters, compliance export |
Key decisions¶
- Approval topology: multi-party (2 approvers) for any resource tagged
environment=prod, single approver foruat, auto-approve fordev(but still logged). Emergency break-glass flag bypasses approval count but triggers Tier-1 alert. - Credential lifetime: 1h default, 4h max. Session auto-revokes at TTL.
- Cross-domain requests: DT-001 GATE — a request from the
bank-coredomain for abank-kycresource requires abank-kycdomain approver in addition to the standard approval count.
Operational notes¶
- Deploy:
AWS_PROFILE=bank-dev pnpm sst deploy --stage <env>(fromMOD-046-pam/) - Tests:
AWS_PROFILE=bank-dev STAGE=dev pnpm test - The 2 failing tests poll Secrets Manager with a tight window — retry with longer TTL-assertion window is the fix before advancing to
Built