From 1ae0570e571fbdc8571fea08a2f85bc493357a8a Mon Sep 17 00:00:00 2001 From: Stacey Salamon Date: Wed, 11 Dec 2024 14:49:58 +0100 Subject: [PATCH 1/3] add: IP address range feature for tokens and auth policy --- docs/platform/concepts/application-users.md | 9 +++++++++ docs/platform/concepts/authentication-tokens.md | 9 ++++++--- docs/platform/howto/set-authentication-policies.md | 13 ++++++++++--- 3 files changed, 25 insertions(+), 6 deletions(-) diff --git a/docs/platform/concepts/application-users.md b/docs/platform/concepts/application-users.md index fdd1983da..96799d31d 100644 --- a/docs/platform/concepts/application-users.md +++ b/docs/platform/concepts/application-users.md @@ -38,6 +38,15 @@ the description field for each user to clearly indicate what it's used for. This helps you manage the lifecycle of the users and ensure the access permissions are correct for each use case. +### Restrict access to trusted networks + +Specify allowed IP address ranges for each token. This prevents tokens from being used +outside of your trusted networks, reducing the risk of breaches. You can also specify +these ranges in your organization's +[authentication policy](/docs/platform/howto/set-authentication-policies), limiting +all access to the Aiven Platform to these IP addresses, including +through application tokens. + ### Keep tokens secure and rotate them regularly Make sure tokens are securely stored and only accessible by people who need them. Tokens diff --git a/docs/platform/concepts/authentication-tokens.md b/docs/platform/concepts/authentication-tokens.md index a1fdf0360..950571186 100644 --- a/docs/platform/concepts/authentication-tokens.md +++ b/docs/platform/concepts/authentication-tokens.md @@ -7,11 +7,11 @@ There are 3 types of tokens used to access the Aiven platform: session tokens, p Session tokens are created when you log in or make an API call. These tokens are revoked when you log out of the Aiven Console or the CLI. -You can create personal tokens to access resources instead of using your password. +You can [create personal tokens](/docs/platform/howto/create_authentication_token) to access resources instead of using your password. Application tokens are linked to [application users](/docs/platform/concepts/application-users). Application users and tokens are a more secure option for non-human users like external applications. You can -create multiple personal or application tokens for different use cases or applications. +create multiple personal or application tokens for different use cases. ## Token limits @@ -26,10 +26,13 @@ This is especially useful for automation that creates tokens. ## Token security -To keep your personal tokens secure: +To keep your personal and application tokens secure: - Set a session duration to limit the impact of exposure - Refrain from letting users share tokens - Rotation your tokens regularly +- Restrict usage from trusted networks by specifying an allowed IP address range - Use application users for non-human users and follow [security best practices](/docs/platform/concepts/application-users) for their tokens +- Control access to your organzation's resources with the + [authentication policy](/docs/platform/howto/set-authentication-policies) diff --git a/docs/platform/howto/set-authentication-policies.md b/docs/platform/howto/set-authentication-policies.md index b46978537..2da1a553b 100644 --- a/docs/platform/howto/set-authentication-policies.md +++ b/docs/platform/howto/set-authentication-policies.md @@ -4,7 +4,7 @@ title: Set authentication policies for organization users import ConsoleLabel from "@site/src/components/ConsoleIcons" -The authentication policy for your organization specifies the ways that users in your organization and their personal tokens can access the organization on the Aiven platform. +The authentication policy for your organization specifies the ways that users in your organization can access the organization on the Aiven Platform. ## Authentication types @@ -20,7 +20,7 @@ two-factor authentication (2FA) for password logins for all users in your organization. When 2FA is required, users can't access any resources in your organization until they -set up 2FA. This only applies to logins using email and password. The Aiven platform +set up 2FA. This only applies to logins using email and password. The Aiven Platform cannot enforce 2FA for logins through third-party providers, including identity providers. :::note @@ -54,7 +54,7 @@ personal tokens. Non-managed users can still create personal tokens, but they ca them to access the organization's resources. To regularly manage your resources programmatically with the Aiven API, CLI, -Terraform Provider, or other applications, it's best to create an +Terraform Provider, or other tools, it's best to create an [application user](/docs/platform/howto/manage-application-users) with its own tokens. Personal tokens are generated with the authentication method that the user logged in with. @@ -72,6 +72,13 @@ provider, then the token generated when the user was logged in with their passwo not work. After logging in with an allowed method on the new authentication policy the user can create a token. +### Access from allowed IP addresses + +You can restrict users to accessing the Aiven Platform from specific IP address ranges +to ensure they are coming from trusted networks. This helps you minimize exposure, reduce +the risk of breaches, and comply with policies and regulations. This also applies to +access through personal and application tokens. + ## Set an authentication policy 1. In the organization, click **Admin**. From 58962ba10344e6ae989aa06c8c72a6e986bb4483 Mon Sep 17 00:00:00 2001 From: Stacey Salamon Date: Thu, 19 Dec 2024 20:04:11 +0100 Subject: [PATCH 2/3] revise auth policy description --- docs/platform/howto/set-authentication-policies.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/platform/howto/set-authentication-policies.md b/docs/platform/howto/set-authentication-policies.md index 2da1a553b..9c429d767 100644 --- a/docs/platform/howto/set-authentication-policies.md +++ b/docs/platform/howto/set-authentication-policies.md @@ -74,10 +74,12 @@ the user can create a token. ### Access from allowed IP addresses -You can restrict users to accessing the Aiven Platform from specific IP address ranges -to ensure they are coming from trusted networks. This helps you minimize exposure, reduce -the risk of breaches, and comply with policies and regulations. This also applies to -access through personal and application tokens. +You can restrict access to your organization's resources by allowing only specific IP +address ranges, ensuring connections are coming from trusted networks. This helps you +minimize exposure, reduce the risk of breaches, and comply with policies and regulations. + +This authentication policy setting also applies to access through +personal and application tokens. ## Set an authentication policy From 8e613dfda6421faa26da18c4db4ee8e551965217 Mon Sep 17 00:00:00 2001 From: Stacey Salamon Date: Thu, 19 Dec 2024 20:12:39 +0100 Subject: [PATCH 3/3] remove IP allowlist info for tokens --- docs/platform/concepts/application-users.md | 9 --------- docs/platform/concepts/authentication-tokens.md | 5 ++--- docs/platform/howto/set-authentication-policies.md | 3 --- 3 files changed, 2 insertions(+), 15 deletions(-) diff --git a/docs/platform/concepts/application-users.md b/docs/platform/concepts/application-users.md index 96799d31d..fdd1983da 100644 --- a/docs/platform/concepts/application-users.md +++ b/docs/platform/concepts/application-users.md @@ -38,15 +38,6 @@ the description field for each user to clearly indicate what it's used for. This helps you manage the lifecycle of the users and ensure the access permissions are correct for each use case. -### Restrict access to trusted networks - -Specify allowed IP address ranges for each token. This prevents tokens from being used -outside of your trusted networks, reducing the risk of breaches. You can also specify -these ranges in your organization's -[authentication policy](/docs/platform/howto/set-authentication-policies), limiting -all access to the Aiven Platform to these IP addresses, including -through application tokens. - ### Keep tokens secure and rotate them regularly Make sure tokens are securely stored and only accessible by people who need them. Tokens diff --git a/docs/platform/concepts/authentication-tokens.md b/docs/platform/concepts/authentication-tokens.md index 950571186..a7c47eb7b 100644 --- a/docs/platform/concepts/authentication-tokens.md +++ b/docs/platform/concepts/authentication-tokens.md @@ -7,13 +7,13 @@ There are 3 types of tokens used to access the Aiven platform: session tokens, p Session tokens are created when you log in or make an API call. These tokens are revoked when you log out of the Aiven Console or the CLI. -You can [create personal tokens](/docs/platform/howto/create_authentication_token) to access resources instead of using your password. +You can [create personal tokens](/docs/platform/howto/create_authentication_token) to +access resources instead of using your password. Application tokens are linked to [application users](/docs/platform/concepts/application-users). Application users and tokens are a more secure option for non-human users like external applications. You can create multiple personal or application tokens for different use cases. - ## Token limits The maximum number of personal tokens that you can create is 10. Personal tokens are @@ -31,7 +31,6 @@ To keep your personal and application tokens secure: - Set a session duration to limit the impact of exposure - Refrain from letting users share tokens - Rotation your tokens regularly -- Restrict usage from trusted networks by specifying an allowed IP address range - Use application users for non-human users and follow [security best practices](/docs/platform/concepts/application-users) for their tokens - Control access to your organzation's resources with the diff --git a/docs/platform/howto/set-authentication-policies.md b/docs/platform/howto/set-authentication-policies.md index 9c429d767..46457ea58 100644 --- a/docs/platform/howto/set-authentication-policies.md +++ b/docs/platform/howto/set-authentication-policies.md @@ -78,9 +78,6 @@ You can restrict access to your organization's resources by allowing only specif address ranges, ensuring connections are coming from trusted networks. This helps you minimize exposure, reduce the risk of breaches, and comply with policies and regulations. -This authentication policy setting also applies to access through -personal and application tokens. - ## Set an authentication policy 1. In the organization, click **Admin**.