The Framework for GitHub Apps on AWS is an open-source software development framework that uses AWS services to simplify the process of building and operating GitHub Apps. Below are some of the ways we are mitigating risks when maintaining GitHub App installations using the framework.
The ops tools reduce confidentiality risk during key generation and import by removing the local copy of the signing key as soon as it has validated that the KMS import succeeded. After import, AWS KMS stores the key material in AWS KMS HSMs, protecting the confidentiality of the key material throughout its life.
The ops tools reduce risk to key material integrity at import time by using it to generate and use GitHub App tokens both before import using the file to be imported and after import using the imported KMS key.
AWS KMS does not maintain the durability of imported key material at the same level as key material that AWS KMS generates. If your keys become unavailable, use the ops tools to rotate your signing keys. For further information about managing imported keys in KMS please read Durability Protection for KMS imported keys.
You should rotate your signing keys periodically when appropriate for your security and operational requirements.
The framework provides App and Installation tokens via AWS Lambda-based APIs it defines. You can control access to these API endpoints using IAM policies.
It is best practice to cache the tokens generated by the API calls. The credential vending APIs include an expirationTime field that tells you when you need to refresh your local cache.
GitHub enforces several rate limits that apply to all API callers. This framework includes a rate limit monitoring component that provides Amazon Cloudwatch metrics for the status of all primary rate limits for all Installations of all Apps managed by the framework. You can use these metrics to better understand the health of your App’s operations. The framework can also provide an opinionated Cloudwatch dashboard that presents these rate limit status values for you.
GitHub Apps can be public or private. Private Apps can only be installed on resources owned by the same owner (user, organization, enterprise account) that owns the App, while public Apps can be installed anywhere and by anyone. Public Apps can be appealing for use-cases where you want to manage resources across many organizations, but if you do not intend your App for public use it is usually better to use a private App to retain control over where your App can be installed and who can install it. This framework provides APIs to help manage multiple GitHub App registrations to simplify the experience of interacting with resources using multiple private Apps.