Automated handling of expired AWS IDs

[Chrystinne]

Currently, our system requires an automated solution for managing expired AWS IDs in access point policies. This will improve reliability and reduce maintenance overhead by:

• Automatically detecting expired AWS IDs at regular intervals;

• Removing expired AWS IDs from policies without disrupting users with valid AWS IDs;

• Synchronizing access point policies with user authorization status through periodic updates by adding/removing/updating users whose authorization status has changed or whose AWS ID has changed.

When users remove their AWS account from PhysioNet, they must be removed from all access points they were previously added to. Similarly, when users add a new AWS account, they must be re-added to the same access points they were previously using.

[bemoody]

A couple questions that we should try to answer:

1. What happens when an invalid userid is specified in PutAccessPointPolicy? Does it behave the same way as PutBucketPolicy (i.e., fail with an error message that explicitly states which ID was invalid)?

2. If an invalid userid is present in an existing access point policy, what does GetAccessPointPolicy return? Does it behave the same way as GetBucketPolicy (i.e., valid userids are converted to ARNs while invalid userids are left as AIDA strings)?

I know how bucket policies work in the case of userids that have been deleted from their AWS account. I haven't checked whether access-point policies work the same way.

I also don't know what happens if an entire AWS account is deleted, particularly if we were to grant access to root ARNs.

I know that there are (or were, at one time) some people on PhysioNet whose "aws_id" was a 12-digit number and was not a valid AWS account number (i.e., PutBucketPolicy would reject it.) But since those IDs were unverified, I don't know whether they were formerly valid or never valid.