Closed
Bug 1125338
Opened 9 years ago
Closed 9 years ago
Request to have OpSec Security Audit role created in Mozilla Release Engineering AWS account
Categories
(Release Engineering :: General, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: gene, Assigned: dustin)
References
Details
Attachments
(1 file)
5.33 KB,
application/json
|
Details |
Dustin, In our (OpSec) move away from using static credentials to access AWS accounts (like Release Engineering's) to using IAM Roles for improved security, we've created a security auditing IAM role that we were hoping you'd deploy in the Release Engineering AWS account. The Security Audit IAM role would grant a different IAM Role in the OpSec AWS account a few abilities * It would grant us a set of abilities that Amazon lays out in their IAM Role teamplate called "Security Audit" which they describe as a template that "grants access to read security configuration metadata. It is useful for software that audits the configuration of an AWS account." * It would give us the ability to snapshot a disk of a potentially compromised instance, create a forensics ec2 instance, and modify security groups of a potentially compromised instance in order to sequester it to facilitate incident response. * It would give us the ability to look at the CloudTrail settings to validate that it's turned on and configured correctly. The full details of the permissions are outlined here : https://github.com/mozilla/opsec/blob/master/security-audit/opsec-security-audit-trusting-role-cloudformation.json The process to create the IAM Role using this CloudFormation template are detailed here : https://github.com/mozilla/opsec/tree/master/security-audit#create-a-trusting-account-using-cloudformation
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → dustin
Reporter | ||
Comment 1•9 years ago
|
||
Ah, our repo is private! Doh! Here are the instructions Here's how to create an IAM role for the trusting account. This would be done by a foreign AWS account holder who wants to grant OpSec the ability to audit the security of their AWS account. ## Create a Trusting Account using cloudformation This method is preferred over using boto. * The foreign AWS account holder should log into their AWS web console * Browse to the [CloudFormation section](https://console.aws.amazon.com/cloudformation/home?region=us-west-2) * Click the `Create Stack` button * In the `Name` field enter something like `opsec-security-audit-role` * In the `Source` field select `Specify an Amazon S3 template URL` and type in https://s3-us-west-2.amazonaws.com/cf-templates-acnkbhcsm640-us-west-2/2015023txg-opsec-security-audit-trusting-role-cloudformation.json * Click the `Next` button * Deploy the `opsec-security-audit-trusting-role-cloudformation.json` template * On the `Options` page click the `Next` button * On the `Review` page click the checkbox that says `I acknowledge that this template might cause AWS CloudFormation to create IAM resources.` * Click the `Create` button * When the CloudFormation stack completes the creation process and the `Status` field changes from `CREATE_IN_PROGRESS` to `CREATE_COMPLETE`, select the new stack and click the `Outputs` tab in the bottom window pane. * Copy the `Value` given for the `OpSecSecurityAuditRoleARN` `Key` and paste it into the bug that OpSec opened requesting the creation of this account * An example `Value` would be `arn:aws:iam::123456789012:role/opsec-security-audit-role-OpSecSecurityAuditRole-1234567890AB` Here is the template { "AWSTemplateFormatVersion":"2010-09-09", "Description":"OpSec Security Audit Role", "Resources":{ "OpSecSecurityAuditRole":{ "Type":"AWS::IAM::Role", "Properties":{ "AssumeRolePolicyDocument":{ "Version":"2012-10-17", "Statement":[ { "Sid":"", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::656532927350:role/OpSecTrustedAuditor" }, "Action":"sts:AssumeRole" } ] }, "Policies":[ { "PolicyName":"SecurityAudit", "PolicyDocument":{ "Version":"2012-10-17", "Statement":[ { "Action":[ "autoscaling:Describe*", "cloudformation:DescribeStack*", "cloudformation:GetTemplate", "cloudformation:ListStack*", "cloudfront:Get*", "cloudfront:List*", "cloudwatch:Describe*", "directconnect:Describe*", "dynamodb:ListTables", "ec2:Describe*", "elasticbeanstalk:Describe*", "elasticache:Describe*", "elasticloadbalancing:Describe*", "elasticmapreduce:DescribeJobFlows", "glacier:ListVaults", "iam:Get*", "iam:List*", "rds:Describe*", "rds:DownloadDBLogFilePortion", "rds:ListTagsForResource", "redshift:Describe*", "route53:GetHostedZone", "route53:ListHostedZones", "route53:ListResourceRecordSets", "s3:GetBucket*", "s3:GetLifecycleConfiguration", "s3:GetObjectAcl", "s3:GetObjectVersionAcl", "s3:ListAllMyBuckets", "sdb:DomainMetadata", "sdb:ListDomains", "sns:GetTopicAttributes", "sns:ListTopics", "sqs:GetQueueAttributes", "sqs:ListQueues" ], "Effect":"Allow", "Resource":"*" } ] } }, { "PolicyName":"IncidentResponseSnapshotDisk", "PolicyDocument":{ "Version":"2012-10-17", "Statement":[ { "Action":[ "ec2:CreateSnapshot", "ec2:DescribeSnapshots", "ec2:CreateVolume", "ec2:DescribeVolumes", "ec2:DescribeVolumeStatus" ], "Effect":"Allow", "Resource":"*" } ] } }, { "PolicyName":"IncidentResponseCreateForensicsInstance", "PolicyDocument":{ "Version":"2012-10-17", "Statement":[ { "Action":[ "ec2:RunInstances", "ec2:DescribeImages", "ec2:ImportKeyPair", "ec2:CreateSecurityGroup", "ec2:AttachVolume" ], "Effect":"Allow", "Resource":"*" } ] } }, { "PolicyName":"IncidentResponseSequesterInstance", "PolicyDocument":{ "Version":"2012-10-17", "Statement":[ { "Action":[ "ec2:ModifyInstanceAttribute" ], "Effect":"Allow", "Resource":"*" } ] } }, { "PolicyName":"IncidentResponseEnableMemoryExport", "PolicyDocument":{ "Version":"2012-10-17", "Statement":[ { "Action":[ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:DescribeSecurityGroups", "ec2:CreateSecurityGroup", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress" ], "Effect":"Allow", "Resource":"*" } ] } }, { "PolicyName":"DescribeCloudTrail", "PolicyDocument":{ "Version":"2012-10-17", "Statement":[ { "Action":[ "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus" ], "Effect":"Allow", "Resource":"*" } ] } } ] } } }, "Outputs":{ "OpSecSecurityAuditRoleARN":{ "Value":{ "Fn::GetAtt":[ "OpSecSecurityAuditRole", "Arn" ] }, "Description":"The ARN of the new OpSec Security Audit Role" } } }
Reporter | ||
Comment 2•9 years ago
|
||
Assignee | ||
Comment 3•9 years ago
|
||
Done! (I had to upload the template myself) arn:aws:iam::314336048151:role/opsec-security-audit-role-OpSecSecurityAuditRole-FLWUS9CTWIX6
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
QA Contact: pmoore → mshal
You need to log in
before you can comment on or make changes to this bug.
Description
•