Implement Asynchronous Client Layer

[cschneider-vertical-relevance]

• Deny-By-Default Logic in WriteResultsReport : check Status of ForEachInput.InvokeInnerEvalEngineSfn.Status

Client Layer

should provide immediate answer to:
(fail fast)

1. What is Requestor's Authentication?
2. What is that Requestor Authorized to do?
   A. Access this endpoint?
   B. Exclude any policies from the evaluation decision?
3. Has Consumer granted ControlBroker required read access to provided Input S3 objects?

create PoC interactions with new APIGW endpoint:

Generic

• generic consumer Client SFN endpoint returns IsCompliant decision synchronous response

For each Consumer:

- [ ] 1. local dev rescoped

• 2. IaC Pipeline. tracked here.

- [ ] 3. Config-Detective rescoped so that this is now tracked in Issue #5

Access Control Model

Owned by Control Broker

APIGW endpoint
DetermineRequestValidity (a.k.a. InvokedByAigw) lambda
Evaluation Engine
PaC Policies
ResultsReport Bucket

Access Control to ResultsReport Bucket

APIGW returns S3Uri to ResultsReport - key is UUID
consumer that has that UUID and is within the org can retry and getObject as they see fit

• implement same org bucket policy

Owned by Consumer

ControlBrokerInputs Bucket

Access Control to ControlBrokerInput Bucket

ControlBroker makes known [how?] the ARNs of all ControlBroker Readers needing read access to ControlBrokerInput S3 objects.

Consumer grants that read access.

Appendix:

A. tradeoff:

SFN Standard - no pay to wait - no sync response

SFN Express - yes sync response - but cannot use .waitForTaskToken to wait for things

B. principal:

Anticipate that Consumers hitting the CB APIGW endpoint will handle the response and any retries differently. Do not be too prescriptive.