Closed Bug 1125338 Opened 9 years ago Closed 9 years ago

Request to have OpSec Security Audit role created in Mozilla Release Engineering AWS account

Categories

(Release Engineering :: General, defect)

Product:
Release Engineering
Component:
General
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gene, Assigned: dustin)

References

Details

Attachments

(1 file)

opsec-security-audit-trusting-role-cloudformation.json
5.33 KB, application/json
Details 
Dustin,
   In our (OpSec) move away from using static credentials to access AWS accounts (like Release Engineering's) to using IAM Roles for improved security, we've created a security auditing IAM role that we were hoping you'd deploy in the Release Engineering AWS account.

The Security Audit IAM role would grant a different IAM Role in the OpSec AWS account a few abilities

* It would grant us a set of abilities that Amazon lays out in their IAM Role teamplate called "Security Audit" which they describe as a template that "grants access to read security configuration metadata. It is useful for software that audits the configuration of an AWS account."
* It would give us the ability to snapshot a disk of a potentially compromised instance, create a forensics ec2 instance, and modify security groups of a potentially compromised instance in order to sequester it to facilitate incident response.
* It would give us the ability to look at the CloudTrail settings to validate that it's turned on and configured correctly.

The full details of the permissions are outlined here :

https://github.com/mozilla/opsec/blob/master/security-audit/opsec-security-audit-trusting-role-cloudformation.json

The process to create the IAM Role using this CloudFormation template are detailed here :

https://github.com/mozilla/opsec/tree/master/security-audit#create-a-trusting-account-using-cloudformation
Assignee: nobody → dustin
Ah, our repo is private! Doh!

Here are the instructions


Here's how to create an IAM role for the trusting account. This would be done 
by a foreign AWS account holder who wants to grant OpSec the ability to audit 
the security of their AWS account.

## Create a Trusting Account using cloudformation

This method is preferred over using boto.

* The foreign AWS account holder should log into their AWS web console
* Browse to the [CloudFormation section](https://console.aws.amazon.com/cloudformation/home?region=us-west-2)
* Click the `Create Stack` button
  * In the `Name` field enter something like `opsec-security-audit-role`
  * In the `Source` field select `Specify an Amazon S3 template URL` and type in 
 
    https://s3-us-west-2.amazonaws.com/cf-templates-acnkbhcsm640-us-west-2/2015023txg-opsec-security-audit-trusting-role-cloudformation.json

* Click the `Next` button
* Deploy the `opsec-security-audit-trusting-role-cloudformation.json` template
* On the `Options` page click the `Next` button
* On the `Review` page click the checkbox that says `I acknowledge that this template might cause AWS CloudFormation to create IAM resources.`
* Click the `Create` button
* When the CloudFormation stack completes the creation process and the `Status` field changes from `CREATE_IN_PROGRESS` to `CREATE_COMPLETE`, select the new stack and click the `Outputs` tab in the bottom window pane.
* Copy the `Value` given for the `OpSecSecurityAuditRoleARN` `Key` and paste it into the bug that OpSec opened requesting the creation of this account
  * An example `Value` would be `arn:aws:iam::123456789012:role/opsec-security-audit-role-OpSecSecurityAuditRole-1234567890AB`


Here is the template




{
  "AWSTemplateFormatVersion":"2010-09-09",
  "Description":"OpSec Security Audit Role",
  "Resources":{
    "OpSecSecurityAuditRole":{
      "Type":"AWS::IAM::Role",
      "Properties":{
        "AssumeRolePolicyDocument":{
          "Version":"2012-10-17",
          "Statement":[
            {
              "Sid":"",
              "Effect":"Allow",
              "Principal":{
                "AWS":"arn:aws:iam::656532927350:role/OpSecTrustedAuditor"
              },
              "Action":"sts:AssumeRole"
            }
          ]
        },
        "Policies":[
          {
            "PolicyName":"SecurityAudit",
            "PolicyDocument":{
              "Version":"2012-10-17",
              "Statement":[
                {
                  "Action":[
                    "autoscaling:Describe*",
                    "cloudformation:DescribeStack*",
                    "cloudformation:GetTemplate",
                    "cloudformation:ListStack*",
                    "cloudfront:Get*",
                    "cloudfront:List*",
                    "cloudwatch:Describe*",
                    "directconnect:Describe*",
                    "dynamodb:ListTables",
                    "ec2:Describe*",
                    "elasticbeanstalk:Describe*",
                    "elasticache:Describe*",
                    "elasticloadbalancing:Describe*",
                    "elasticmapreduce:DescribeJobFlows",
                    "glacier:ListVaults",
                    "iam:Get*",
                    "iam:List*",
                    "rds:Describe*",
                    "rds:DownloadDBLogFilePortion",
                    "rds:ListTagsForResource",
                    "redshift:Describe*",
                    "route53:GetHostedZone",
                    "route53:ListHostedZones",
                    "route53:ListResourceRecordSets",
                    "s3:GetBucket*",
                    "s3:GetLifecycleConfiguration",
                    "s3:GetObjectAcl",
                    "s3:GetObjectVersionAcl",
                    "s3:ListAllMyBuckets",
                    "sdb:DomainMetadata",
                    "sdb:ListDomains",
                    "sns:GetTopicAttributes",
                    "sns:ListTopics",
                    "sqs:GetQueueAttributes",
                    "sqs:ListQueues"
                  ],
                  "Effect":"Allow",
                  "Resource":"*"
                }
              ]
            }
          },
          {
            "PolicyName":"IncidentResponseSnapshotDisk",
            "PolicyDocument":{
              "Version":"2012-10-17",
              "Statement":[
                {
                  "Action":[
                    "ec2:CreateSnapshot",
                    "ec2:DescribeSnapshots",
                    "ec2:CreateVolume",
                    "ec2:DescribeVolumes",
                    "ec2:DescribeVolumeStatus"
                  ],
                  "Effect":"Allow",
                  "Resource":"*"
                }
              ]
            }
          },
          {
            "PolicyName":"IncidentResponseCreateForensicsInstance",
            "PolicyDocument":{
              "Version":"2012-10-17",
              "Statement":[
                {
                  "Action":[
                    "ec2:RunInstances",
                    "ec2:DescribeImages",
                    "ec2:ImportKeyPair",
                    "ec2:CreateSecurityGroup",
                    "ec2:AttachVolume"
                  ],
                  "Effect":"Allow",
                  "Resource":"*"
                }
              ]
            }
          },
          {
            "PolicyName":"IncidentResponseSequesterInstance",
            "PolicyDocument":{
              "Version":"2012-10-17",
              "Statement":[
                {
                  "Action":[
                    "ec2:ModifyInstanceAttribute"
                  ],
                  "Effect":"Allow",
                  "Resource":"*"
                }
              ]
            }
          },
          {
            "PolicyName":"IncidentResponseEnableMemoryExport",
            "PolicyDocument":{
              "Version":"2012-10-17",
              "Statement":[
                {
                  "Action":[
                    "ec2:AuthorizeSecurityGroupEgress",
                    "ec2:AuthorizeSecurityGroupIngress",
                    "ec2:DescribeSecurityGroups",
                    "ec2:CreateSecurityGroup",
                    "ec2:RevokeSecurityGroupEgress",
                    "ec2:RevokeSecurityGroupIngress"
                  ],
                  "Effect":"Allow",
                  "Resource":"*"
                }
              ]
            }
          },
          {
            "PolicyName":"DescribeCloudTrail",
            "PolicyDocument":{
              "Version":"2012-10-17",
              "Statement":[
                {
                  "Action":[
                    "cloudtrail:DescribeTrails",
                    "cloudtrail:GetTrailStatus"
                  ],
                  "Effect":"Allow",
                  "Resource":"*"
                }
              ]
            }
          }
        ]
      }
    }
  },
  "Outputs":{
    "OpSecSecurityAuditRoleARN":{
      "Value":{
        "Fn::GetAtt":[
          "OpSecSecurityAuditRole",
          "Arn"
        ]
      },
      "Description":"The ARN of the new OpSec Security Audit Role"
    }
  }
}
Done!  (I had to upload the template myself)

arn:aws:iam::314336048151:role/opsec-security-audit-role-OpSecSecurityAuditRole-FLWUS9CTWIX6
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
QA Contact: pmoore → mshal
See Also: → 1232121
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: