Improve security of the Maximo-Geo integration

[mddilley]

When we first implemented the Maximo-Geo integration, John flagged some improvements that we could make to increase the security of this process and make it easier to understand/troubleshoot this part of the integration.

Solutions

• Schema validation to check the shape of data and also document what is being consumed
• SES allow list? Not sure how many senders there are - do we always receive from Rene like in the example headers that Frank posted below?
  • Sender is whoever generated the scheduled report within MAXIMO
  • https://medium.com/@vikasarya457/enhancing-email-control-in-aws-ses-through-email-whitelisting-f8f2386f6e65
• Throw an error when the program quits execution due to missing headers (h/t Chia)

[chiaberry]

• Throw an error when the program quits execution due to missing headers

[frankhereford]

Please see some example headers as received in the most recent email this morning here.

[frankhereford]

Through some conversations in slack, I want to add that it is probably appropriate at this time to push back on the upstream folks to get us some more concrete answers about what we can and should expect from this email so we have more than just hopeful hacks that we can use to secure this resource.

[mddilley]

I reached out to Rene for more info about how the emails are generated and if they come from multiple addresses. I'll update here once I hear back.

Christina also mentioned today that Rebekka and Andrew could be helpful if we need more information after that.