Review CC sso-gated-admin-tools: scope to ArgoCD only

Removed Grafana from the control description — no Prowler finding references it. Tightened scope to match actual usage (ArgoCD wildcard RBAC mute). Added workflow-bot scoping note. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 13:07:52 -07:00 · 2026-04-14 13:07:52 -07:00 · 6b690eb033
commit 6b690eb033
parent be30668eef
2 changed files with 9 additions and 6 deletions
--- a/compensating-controls.yaml
+++ b/compensating-controls.yaml
@ -59,14 +59,16 @@ controls:

  - id: sso-gated-admin-tools
    description: >-
-      ArgoCD and Grafana require SSO authentication via Authentik OIDC.
-      Wildcard RBAC in ArgoCD is mitigated by requiring authenticated
-      identity before any API access.
+      ArgoCD requires SSO authentication via Authentik OIDC. Wildcard
+      RBAC roles are mitigated by requiring authenticated identity
+      before any API access.
    created: 2026-03-30
-    last-reviewed: 2026-03-30
+    last-reviewed: 2026-04-14
    notes: >-
-      Verify Authentik provider config and that anonymous access is
-      disabled. Check ArgoCD --auth-token isn't leaked.
+      Verify Authentik OIDC provider config for ArgoCD and that
+      anonymous access is disabled. Check ArgoCD --auth-token isn't
+      leaked. The workflow-bot API key account is scoped to sync/get
+      only.

  - id: operator-managed-pods
    description: >-