Request for Infra to enable OpSec security auditing IAM Roles

RESOLVED FIXED

Status

Infrastructure & Operations
Infrastructure: Other
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: gene, Assigned: r2)

Tracking

Details

(Reporter)

Description

3 years ago
Hi, I'm a Cloud Security Engineer in the Mozilla Operations Security team. The OpSec team is working on an effort to provide teams better reporting of security risks in their AWS accounts. We're also working on enabling better incident response (responding to a security issue). In service of these goals we've crafted an AWS Identity and Access Management Role which Mozilla teams can install into their team's AWS account to grant OpSec the ability to both audit their accounts for security risks and to help in the case of a security incident.

The way it works is that your team would deploy this CloudFormation template 

https://github.com/mozilla/security/blob/master/operations/aws-security-auditor/opsec-security-audit-trusting-role-cloudformation.json

into your AWS accounts : 

598097830519	IT Backups - 1400
647505682097	mozilla-sandbox - 1400
329567179436
248062938574	mozilla-dev

which would create a new IAM Role that "trusts" a different OpSec controlled IAM Role in the mozilla-opsec AWS account. This would grant OpSec the permissions laid out in the trusting role to do things like
* look for IAM roles which grant broader access than they intend
* identify CloudTrail log destinations for auditing
* create a forensics instance in the event that you identify a security breach of some kind

You can see the auditing permissions that would be granted here :

https://github.com/mozilla/security/blob/master/operations/aws-security-auditor/opsec-security-audit-trusting-role-cloudformation.json#L29-L63

and the incident response permissions that would be granted here :

https://github.com/mozilla/security/blob/master/operations/aws-security-auditor/opsec-security-audit-trusting-role-cloudformation.json#L72-L143

If this sounds good, here's how to enable this :

1. Deploy the CloudFormation template
2. Report back with the "OpSecSecurityAuditRoleARN" output generated when the CloudFormation stack is created

The detailed instructions are here :

https://github.com/mozilla/security/tree/master/operations/aws-security-auditor#create-a-trusting-account-using-cloudformation

If you've got any questions about how this works, please feel free to ask.

Updated

3 years ago
Assignee: infra → bhourigan
IT Backups - 1400 is the special Bacula/Steelstore account, if I understand correctly - as we do not hold root access to this account (the MFA key is in the safe, and there is no non-root admin account in it that could administer it) you'll want to apply this policy to that account yourself.

What is "329567179436"? Does it host any resources?
Flags: needinfo?(gene)
(Reporter)

Comment 2

3 years ago
Oh, is the "IT Backups - 1400" managed by another company? If not and it's managed by us and the root account has an MFA that's in a safe, we must have created an IAM Role with *:* permissions (or we did it wrong and will need to get the MFA out of the safe).

I imagine :r2 can speak to the account state of IT Backups - 1400

I'm not sure what 329567179436 is, again :r2 is probably the one who knows.
Flags: needinfo?(gene) → needinfo?(riweiss)
Nope, not managed by another company. If I'm wrong and it has nothing to do with Bacula/Steelstore, then I don't recognize it at all :)
(Assignee)

Comment 4

3 years ago
The IT Backups account will be MFA'ed tomorrow.  After that I am going to send it to Joe for safe storage.

There is currently only a single IAM user in the account. That is for the Steelstore appliance.  It has a key pair and has permission to access the S3 bucket where it stores backups and can only do what it needs to do.  The S3 bucket is the only resource I have created in that account.

I could can run the CF template if you still think it is necessary.
Flags: needinfo?(riweiss)
(Reporter)

Comment 5

3 years ago
Richard, as this IT Backups account will be a sequestered account with the only entity able to make account changes being the root account with an MFA in a safe, let's use a read-only version of the security audit role. This will enable opsec to do security audits, but not incident response. The benefit is that opsec will also not be able to make any changes to the account.

Go ahead and follow the instructions in this ticket but use this CloudFormation template

https://s3-us-west-2.amazonaws.com/opsec-cloudformation-templates/opsec-security-audit-read-only-trusting-role-cloudformation.json

instead of the one identified in the instructions

Once you've got it loaded, paste the output ARN in here

For the other (not IT Backups) accounts, just run the instructions normally and share the ARNs.
Flags: needinfo?(riweiss)
(Assignee)

Comment 6

3 years ago
Done for the IT Backups account:
arn:aws:iam::598097830519:role/opsec-security-audit-role-OpSecSecurityAuditReadOn-SZ1VA3EHTMWO
Flags: needinfo?(riweiss)
(Reporter)

Comment 7

3 years ago
Thanks Richard.

So only 3 accounts remain to be done :

647505682097	mozilla-sandbox - 1400
329567179436
248062938574	mozilla-dev

:digi, can you load the template into these ones?
Flags: needinfo?(bhourigan)
(Assignee)

Comment 8

3 years ago
Done for the IT Backups account:
arn:aws:iam::598097830519:role/opsec-security-audit-role-OpSecSecurityAuditReadOn-SZ1VA3EHTMWO

Done for the Sandbox account:
arn:aws:iam::647505682097:role/opsec-security-audit-role-OpSecSecurityAuditRole-180TJ0G8SNEVA

Done for the Dev account:
arn:aws:iam::248062938574:role/opsec-security-audit-role-OpSecSecurityAuditRole-1XCTO3XA5XJC8
(In reply to Richard Weiss [:r2] from comment #8)
> Done for the IT Backups account:
> Done for the Sandbox account:
> Done for the Dev account:

Thanks. :)

> 329567179436

I'm not sure what that account is, would it be possible to get a label or more information about it?
Flags: needinfo?(bhourigan)
(Assignee)

Comment 10

3 years ago
329567179436 is the Consolidated Billing account.  I will add that to our project documentation if it's not already there.

Done for Consolidated Billing account:
arn:aws:iam::329567179436:role/opsec-security-audit-role-OpSecSecurityAuditRole-4GG28ZP2PKH1
(Reporter)

Comment 11

3 years ago
Excellent! Thank you Richard!
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED

Updated

3 years ago
Assignee: bhourigan → riweiss
(Reporter)

Comment 12

3 years ago
:r2 is it possible the mozilla-dev (248062938574) cloudformation template was deleted? I'm unable to assume the role 

arn:aws:iam::248062938574:role/opsec-security-audit-role-OpSecSecurityAuditRole-1XCTO3XA5XJC8
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Reporter)

Comment 13

3 years ago
We lost our ability to use the role on March 27th
(Assignee)

Comment 14

3 years ago
:gene Someone deleted the role on 3-26 at 07:13:14 UTC-0700. Without Cloudtrail I am unable to determine who did it or why.

I have recreated the stack.  The new arn for the role is:
arn:aws:iam::248062938574:role/opsec-security-audit-role-OpSecSecurityAuditRole-IM6L0FYTKU80
(Reporter)

Comment 15

3 years ago
Thanks :r2, fixed.
Status: REOPENED → RESOLVED
Last Resolved: 3 years ago3 years ago
Resolution: --- → FIXED
(Reporter)

Comment 16

3 years ago
:r2 any possibility the cloudformation stack that defines the opsec security audit role in the sandbox account was deleted?

arn:aws:iam::647505682097:role/opsec-security-audit-role-OpSecSecurityAuditRole-180TJ0G8SNEVA
Status: RESOLVED → REOPENED
Flags: needinfo?(riweiss)
Resolution: FIXED → ---
(Assignee)

Comment 17

3 years ago
I suspect that the stack was redeployed an a new role was created.  Here is the new arn:
arn:aws:iam::647505682097:role/us-west-2-vpc-VPCOpsecStack-OpSecSecurityAuditRole-16QW1CJWXETEN
Flags: needinfo?(riweiss)
(Reporter)

Comment 18

3 years ago
Got it, thanks for the new ARN.
Status: REOPENED → RESOLVED
Last Resolved: 3 years ago3 years ago
Resolution: --- → FIXED
(Reporter)

Comment 19

3 years ago
Looks like more than just that one were removed or changed. Can you get me new ones for 

arn:aws:iam::177680776199:role/opsec-security-audit-role-OpSecSecurityAuditRole-TUW9LMVEM23Y
Status: RESOLVED → REOPENED
Flags: needinfo?(riweiss)
Resolution: FIXED → ---
(Reporter)

Comment 20

3 years ago
Also, this account, the IT Prod account, isn't part of this original ticket (it was handled over email). I'm happy to open a different ticket if that makes most sense.
(Assignee)

Comment 21

3 years ago
This is the arn for the security audit role in what used to be the Prod account.  The account number has not changed, but the name is now called Nubis Lab.

arn:aws:iam::177680776199:role/us-west-2-vpc-VPCOpsecStack-OpSecSecurityAuditRole-14MIT8BIHE6H0
Flags: needinfo?(riweiss)
(Reporter)

Updated

3 years ago
See Also: → bug 1232086
(Assignee)

Comment 22

2 years ago
I'm not sure if this is completed. Can you let me know if I or the Nubis platform team need to do any additional work?
Flags: needinfo?(gene)
(Reporter)

Comment 23

2 years ago
Ya, let's close this out as this ticket is about installing the V1 version of our security audit roles. We've moved on to V2 and those installations are being tracked in other tickets.
Status: REOPENED → RESOLVED
Last Resolved: 3 years ago2 years ago
Flags: needinfo?(gene)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.