{"id":21199026,"url":"https://github.com/devsecops/controlplane","last_synced_at":"2026-01-02T02:03:18.310Z","repository":{"id":80515677,"uuid":"55817144","full_name":"devsecops/controlplane","owner":"devsecops","description":"Your infrastructure is moving and so is your root of trust.  This project helps to define a new control plane for locking down access and policies.","archived":false,"fork":false,"pushed_at":"2016-08-07T20:01:30.000Z","size":447,"stargazers_count":9,"open_issues_count":4,"forks_count":8,"subscribers_count":13,"default_branch":"master","last_synced_at":"2025-01-21T14:46:36.827Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/devsecops.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-04-09T00:13:03.000Z","updated_at":"2024-12-08T04:39:22.000Z","dependencies_parsed_at":"2023-07-10T11:01:46.495Z","dependency_job_id":null,"html_url":"https://github.com/devsecops/controlplane","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devsecops%2Fcontrolplane","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devsecops%2Fcontrolplane/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devsecops%2Fcontrolplane/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devsecops%2Fcontrolplane/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/devsecops","download_url":"https://codeload.github.com/devsecops/controlplane/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243653401,"owners_count":20325735,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-20T19:55:33.142Z","updated_at":"2026-01-02T02:03:13.280Z","avatar_url":"https://github.com/devsecops.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"#Control Plane + Target Account(s)\n\nThe Control Plane pattern allows for relative ease of use while balancing security needs such as, blast radius containment, minimal attack surface, privileged access management, and least privilege.\n\n---\n\nGuiding Principles for this pattern:\n\n* Native use of Cloud Provider\n* Blast Radius Containment\n* Minimize Attack Surface\n* Privileged Access Management\n* Least Privilege\n\n\n\n\n##Basic Structure\n\nThe basic Control Plane pattern has a single or primary control plane and one or more target accounts that have a trust relationship with the control plane. Long-Term Credentials associated with Users are routinely in use in the primary control plane. Human access is brokered with MFA, and app access via Long-Term Credentials implements compensating controls.\n\nAn enhanced Control Plane pattern includes a second backup or recovery control plane, and each of the target accounts also has a trust relationship with the backup control plane. Minimal Long-Term credentials exist (only enough to seed-access to the backup control plane), and these credentials are stored securely for 'break-glass' scenarios.\n\n###Image 1: Control Plane to Target(s) Relationship\n\nTrust is delegated from a Principal Entity in a _trusting_ account to a Principal Entity in the _trusted_ account.  This trust is granular, meaning that a specific Principal Entity in the _trusting_ account trusts a specific Principal Entity in the _trusted_ account.  This is not an account-to-account trust (such a broad trust is likely to introduce a design flaw that would allow elevation of privilege).\n\n![1_control-target-relationship](/docs/img/1_control-target-relationship.png)\n\n***Note:*** Diagram to be updated to be generalized to any Cloud Provider ([Issue #3](https://github.com/devsecops/controlplane/issues/3)).\n\n##Examples\n\nSome examples of this pattern include:\n\n* [Amazon Web Services](/docs/Amazon-Web-Services/)\n* [Google Cloud]() (to be added: [Issue #4](https://github.com/devsecops/controlplane/issues/4))\n* [Microsoft Azure]() (to be added: [Issue #5](https://github.com/devsecops/controlplane/issues/5))\n\n#Appendix\n\n##References\n\n* [References](/docs/references)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevsecops%2Fcontrolplane","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdevsecops%2Fcontrolplane","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevsecops%2Fcontrolplane/lists"}