# LotusCloud IAM & Security Architecture

## Overview

LotusCloud IAM provides identity and access management similar to AWS IAM / GCP Cloud IAM / Azure Entra ID. Security architecture covers IAM, RBAC, network isolation, encryption, secrets management, and compliance.

## IAM Entities

```
Organization
   │
   ├── Users (human identities)
   ├── Groups (collection of users)
   ├── Service Accounts (machine identities)
   ├── Roles (permission bundles)
   └── Policies (permission documents)
```

## Authentication Methods

| Method | Use Case |
|--------|----------|
| Username + Password | Console login |
| Access Key + Secret Key | API/CLI access |
| JWT Token | Service-to-service |
| OIDC | SSO / Federation |
| Workload Identity | Pods/VMs calling cloud APIs |
| MFA (TOTP) | Additional security layer |
| mTLS | Internal service auth |

## Access Key System

### Key Types

| Key Type | Scope | Limit |
|----------|-------|-------|
| Root key | Full account access | 2 per user |
| Scoped key | Per-project or per-bucket | Unlimited |
| Service account key | Per workload | 5 per SA |
| Temporary token | Time-limited | Auto-generated |

### Scoped Key Example

```json
{
  "access_key": "LTAK-abc123",
  "secret_key": "encrypted",
  "scope": {
    "project": "proj-001",
    "services": ["storage"],
    "resources": ["bucket/images"],
    "actions": ["GetObject", "PutObject"]
  },
  "expires_at": "2026-12-31T23:59:59Z"
}
```

## Role-Based Access Control (RBAC)

### Built-in Roles

| Role | Description | Permissions |
|------|-------------|-------------|
| owner | Full access, can manage IAM | * |
| admin | Full resource access, no IAM management | resources.* |
| editor | Create, update resources | resources.create, resources.update, resources.read |
| viewer | Read-only access | resources.read |
| billing-admin | Billing and cost management | billing.*, costmgmt.* |
| security-admin | Security and compliance | iam.*, policy.*, audit.read |
| network-admin | Network management | network.*, vpc.*, vpn.*, firewall.* |
| db-admin | Database management | dbaas.*, sql.* |
| k8s-admin | Kubernetes management | container.*, k8s.* |

### Custom Roles

```json
{
  "role": "storage-reader",
  "permissions": [
    "storage.buckets.list",
    "storage.objects.get",
    "storage.objects.list"
  ]
}
```

### Permission Format

```
{service}.{resource}.{action}

Examples:
  compute.vm.create
  compute.vm.delete
  storage.bucket.create
  storage.object.get
  network.vpc.create
  iam.user.create
  billing.usage.read
```

## IAM Policy Document

```json
{
  "version": "2026-01-01",
  "statements": [
    {
      "effect": "allow",
      "actions": [
        "compute.vm.*",
        "storage.bucket.list"
      ],
      "resources": [
        "lrn:lotuscloud:compute:vn-south-1:proj-001:vm/*",
        "lrn:lotuscloud:storage:vn-south-1:proj-001:bucket/*"
      ],
      "conditions": {
        "ip_address": ["10.0.0.0/16"]
      }
    },
    {
      "effect": "deny",
      "actions": ["iam.user.delete"],
      "resources": ["*"]
    }
  ]
}
```

## Service Account & Workload Identity

### Service Account

```
Purpose: Machine-to-machine authentication

Service Account:
  name: sa-billing-worker
  project: proj-001
  roles: [billing-reader, storage-reader]
  keys: [access_key_1, access_key_2]
```

### Workload Identity

Kubernetes pods automatically get cloud credentials without storing keys.

```
K8s Pod
   │
   ▼ (projected service account token)
   │
LotusCloud Token Exchange API
   │
   ▼ (short-lived cloud token)
   │
Cloud API (authorized as service account)
```

## Object Storage ACL

### Bucket-Level Permissions

```json
{
  "bucket": "images",
  "acl": [
    {
      "principal": "user:alice@company.com",
      "permission": "FULL_CONTROL"
    },
    {
      "principal": "sa:sa-web-app",
      "permission": "READ"
    },
    {
      "principal": "group:developers",
      "permission": "READ_WRITE"
    }
  ]
}
```

### Bucket Policy

```json
{
  "bucket": "images",
  "policy": {
    "statements": [
      {
        "effect": "allow",
        "principal": "sa:sa-web-app",
        "actions": ["s3:GetObject"],
        "resources": ["bucket/images/public/*"]
      },
      {
        "effect": "deny",
        "principal": "*",
        "actions": ["s3:DeleteObject"],
        "resources": ["bucket/images/*"]
      }
    ]
  }
}
```

## Network Security

### Security Layers

```
Layer 1: Edge (DDoS + WAF)
Layer 2: Firewall (network perimeter)
Layer 3: Security Groups (per-instance)
Layer 4: Network Policies (K8s)
Layer 5: mTLS (service mesh)
Layer 6: Encryption (data at rest + in transit)
```

### Network Isolation

```
Tenant A                    Tenant B
┌──────────────────┐       ┌──────────────────┐
│ VPC-A            │       │ VPC-B            │
│ ┌──────────────┐ │       │ ┌──────────────┐ │
│ │ Subnet-1     │ │       │ │ Subnet-1     │ │
│ │  VM-A1       │ │       │ │  VM-B1       │ │
│ │  VM-A2       │ │       │ │  VM-B2       │ │
│ └──────────────┘ │       │ └──────────────┘ │
└──────────────────┘       └──────────────────┘
         No cross-tenant traffic
```

## Encryption

### Data at Rest

| Resource | Encryption |
|----------|-----------|
| Block volumes | AES-256 (dm-crypt/LUKS) |
| Object storage | AES-256 (server-side) |
| Database | TDE or filesystem encryption |
| Backups | AES-256 |

### Data in Transit

| Connection | Encryption |
|-----------|-----------|
| Client → API | TLS 1.3 |
| Service → Service | mTLS |
| Ceph cluster | TLS (msgr2) |
| VPN tunnel | IPSec AES-256-GCM |

### Key Management (KMS)

```
LotusCloud KMS
   │
   ├── Master key (HSM-backed)
   ├── Data encryption keys (DEK)
   ├── Key rotation (automatic)
   └── Envelope encryption
```

## Secrets Management

Technology: HashiCorp Vault (or built-in keyvault-service)

### Stored Secrets

- API keys
- Database passwords
- TLS certificates
- SSH keys
- Encryption keys
- OAuth tokens

### Secrets Lifecycle

```
Create → Store (encrypted) → Rotate → Expire → Delete

Automatic rotation:
  DB passwords: every 90 days
  API keys: every 180 days
  TLS certs: every 365 days
```

## Audit Logging

### ISO 27001 Compliance

All security-relevant events are logged.

### Event Types

```
iam.user.created
iam.user.deleted
iam.role.assigned
iam.policy.changed
iam.login.success
iam.login.failed
iam.key.created
iam.key.revoked

compute.vm.created
compute.vm.deleted
compute.vm.config_changed

network.vpc.created
network.firewall.rule_changed
network.security_group.modified

storage.bucket.acl_changed
storage.bucket.policy_changed

dbaas.instance.created
dbaas.config.changed
dbaas.backup.completed
dbaas.failover.triggered
```

### Audit Log Format

```json
{
  "timestamp": "2026-03-08T10:30:00Z",
  "event_type": "compute.vm.deleted",
  "actor": {
    "user_id": "user-123",
    "ip_address": "10.0.1.50",
    "user_agent": "lotus-cli/1.0"
  },
  "resource": {
    "lrn": "lrn:lotuscloud:compute:vn-south-1:proj-001:vm/vm-456",
    "type": "vm",
    "id": "vm-456"
  },
  "project_id": "proj-001",
  "result": "success",
  "detail": {
    "reason": "user_initiated"
  }
}
```

### Retention

- Activity logs: 90 days (hot) + 365 days (cold)
- Audit logs: 3 years (compliance)
- Security logs: 5 years

## Compliance

### ISO 27001 Controls

| Control | LotusCloud Implementation |
|---------|--------------------------|
| Access control | IAM + RBAC |
| Cryptography | KMS + TLS + encryption at rest |
| Operations security | Audit logs + monitoring |
| Communications security | VPC isolation + firewall |
| Asset management | Resource manager + tagging |
| Incident management | Alert service + notification |

## Multi-Tenant Security

### Isolation Layers

```
1. Identity Isolation    → Separate IAM per organization
2. Network Isolation     → VPC per tenant, no cross-tenant traffic
3. Compute Isolation     → KVM hypervisor, separate cgroups
4. Storage Isolation     → Ceph pools, bucket ACL, encryption
5. Data Isolation        → Separate DB schemas per project
```

## Service Health Dashboard

Public status page for all cloud services.

```
LotusCloud Service Health

Region: VN-South
  API Gateway:        ● Operational
  Compute:            ● Operational
  Kubernetes:         ● Operational
  Object Storage:     ● Operational
  SQL Database:       ◐ Degraded Performance
  Networking:         ● Operational
  CDN:                ● Operational

Incidents:
  [2026-03-08] SQL service — degraded performance in vn-south-1a
```
