Closed
Bug 1141828
Opened 10 years ago
Closed 8 years ago
Request for Infra to enable OpSec security auditing IAM Roles
Categories
(Infrastructure & Operations :: Infrastructure: Other, task)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: gene, Assigned: riweiss)
References
Details
Hi, I'm a Cloud Security Engineer in the Mozilla Operations Security team. The OpSec team is working on an effort to provide teams better reporting of security risks in their AWS accounts. We're also working on enabling better incident response (responding to a security issue). In service of these goals we've crafted an AWS Identity and Access Management Role which Mozilla teams can install into their team's AWS account to grant OpSec the ability to both audit their accounts for security risks and to help in the case of a security incident.
The way it works is that your team would deploy this CloudFormation template
https://github.com/mozilla/security/blob/master/operations/aws-security-auditor/opsec-security-audit-trusting-role-cloudformation.json
into your AWS accounts :
598097830519 IT Backups - 1400
647505682097 mozilla-sandbox - 1400
329567179436
248062938574 mozilla-dev
which would create a new IAM Role that "trusts" a different OpSec controlled IAM Role in the mozilla-opsec AWS account. This would grant OpSec the permissions laid out in the trusting role to do things like
* look for IAM roles which grant broader access than they intend
* identify CloudTrail log destinations for auditing
* create a forensics instance in the event that you identify a security breach of some kind
You can see the auditing permissions that would be granted here :
https://github.com/mozilla/security/blob/master/operations/aws-security-auditor/opsec-security-audit-trusting-role-cloudformation.json#L29-L63
and the incident response permissions that would be granted here :
https://github.com/mozilla/security/blob/master/operations/aws-security-auditor/opsec-security-audit-trusting-role-cloudformation.json#L72-L143
If this sounds good, here's how to enable this :
1. Deploy the CloudFormation template
2. Report back with the "OpSecSecurityAuditRoleARN" output generated when the CloudFormation stack is created
The detailed instructions are here :
https://github.com/mozilla/security/tree/master/operations/aws-security-auditor#create-a-trusting-account-using-cloudformation
If you've got any questions about how this works, please feel free to ask.
|
||
Updated•10 years ago
|
Assignee: infra → bhourigan
IT Backups - 1400 is the special Bacula/Steelstore account, if I understand correctly - as we do not hold root access to this account (the MFA key is in the safe, and there is no non-root admin account in it that could administer it) you'll want to apply this policy to that account yourself.
What is "329567179436"? Does it host any resources?
Flags: needinfo?(gene)
|
Reporter | |
Comment 2•10 years ago
|
||
Oh, is the "IT Backups - 1400" managed by another company? If not and it's managed by us and the root account has an MFA that's in a safe, we must have created an IAM Role with *:* permissions (or we did it wrong and will need to get the MFA out of the safe).
I imagine :r2 can speak to the account state of IT Backups - 1400
I'm not sure what 329567179436 is, again :r2 is probably the one who knows.
Flags: needinfo?(gene) → needinfo?(riweiss)
Nope, not managed by another company. If I'm wrong and it has nothing to do with Bacula/Steelstore, then I don't recognize it at all :)
|
Assignee | |
Comment 4•10 years ago
|
||
The IT Backups account will be MFA'ed tomorrow. After that I am going to send it to Joe for safe storage.
There is currently only a single IAM user in the account. That is for the Steelstore appliance. It has a key pair and has permission to access the S3 bucket where it stores backups and can only do what it needs to do. The S3 bucket is the only resource I have created in that account.
I could can run the CF template if you still think it is necessary.
Flags: needinfo?(riweiss)
|
|
Reporter | |
Comment 5•10 years ago
|
||
Richard, as this IT Backups account will be a sequestered account with the only entity able to make account changes being the root account with an MFA in a safe, let's use a read-only version of the security audit role. This will enable opsec to do security audits, but not incident response. The benefit is that opsec will also not be able to make any changes to the account.
Go ahead and follow the instructions in this ticket but use this CloudFormation template
https://s3-us-west-2.amazonaws.com/opsec-cloudformation-templates/opsec-security-audit-read-only-trusting-role-cloudformation.json
instead of the one identified in the instructions
Once you've got it loaded, paste the output ARN in here
For the other (not IT Backups) accounts, just run the instructions normally and share the ARNs.
Flags: needinfo?(riweiss)
|
|
Assignee | |
Comment 6•10 years ago
|
||
Done for the IT Backups account:
arn:aws:iam::598097830519:role/opsec-security-audit-role-OpSecSecurityAuditReadOn-SZ1VA3EHTMWO
Flags: needinfo?(riweiss)
|
|
Reporter | |
Comment 7•10 years ago
|
||
Thanks Richard.
So only 3 accounts remain to be done :
647505682097 mozilla-sandbox - 1400
329567179436
248062938574 mozilla-dev
:digi, can you load the template into these ones?
Flags: needinfo?(bhourigan)
|
|
Assignee | |
Comment 8•10 years ago
|
||
Done for the IT Backups account:
arn:aws:iam::598097830519:role/opsec-security-audit-role-OpSecSecurityAuditReadOn-SZ1VA3EHTMWO
Done for the Sandbox account:
arn:aws:iam::647505682097:role/opsec-security-audit-role-OpSecSecurityAuditRole-180TJ0G8SNEVA
Done for the Dev account:
arn:aws:iam::248062938574:role/opsec-security-audit-role-OpSecSecurityAuditRole-1XCTO3XA5XJC8
|
|
||
Comment 9•10 years ago
|
||
(In reply to Richard Weiss [:r2] from comment #8)
> Done for the IT Backups account:
> Done for the Sandbox account:
> Done for the Dev account:
Thanks. :)
> 329567179436
I'm not sure what that account is, would it be possible to get a label or more information about it?
Flags: needinfo?(bhourigan)
|
|
Assignee | |
Comment 10•10 years ago
|
||
329567179436 is the Consolidated Billing account. I will add that to our project documentation if it's not already there.
Done for Consolidated Billing account:
arn:aws:iam::329567179436:role/opsec-security-audit-role-OpSecSecurityAuditRole-4GG28ZP2PKH1
|
|
Reporter | |
Comment 11•10 years ago
|
||
Excellent! Thank you Richard!
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
|
||
Updated•10 years ago
|
Assignee: bhourigan → riweiss
|
|
Reporter | |
Comment 12•9 years ago
|
||
:r2 is it possible the mozilla-dev (248062938574) cloudformation template was deleted? I'm unable to assume the role
arn:aws:iam::248062938574:role/opsec-security-audit-role-OpSecSecurityAuditRole-1XCTO3XA5XJC8
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Reporter | |
Comment 13•9 years ago
|
||
We lost our ability to use the role on March 27th
|
|
Assignee | |
Comment 14•9 years ago
|
||
:gene Someone deleted the role on 3-26 at 07:13:14 UTC-0700. Without Cloudtrail I am unable to determine who did it or why.
I have recreated the stack. The new arn for the role is:
arn:aws:iam::248062938574:role/opsec-security-audit-role-OpSecSecurityAuditRole-IM6L0FYTKU80
|
|
Reporter | |
Comment 15•9 years ago
|
||
Thanks :r2, fixed.
Status: REOPENED → RESOLVED
Closed: 10 years ago → 9 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 16•9 years ago
|
||
:r2 any possibility the cloudformation stack that defines the opsec security audit role in the sandbox account was deleted?
arn:aws:iam::647505682097:role/opsec-security-audit-role-OpSecSecurityAuditRole-180TJ0G8SNEVA
Status: RESOLVED → REOPENED
Flags: needinfo?(riweiss)
Resolution: FIXED → ---
|
|
Assignee | |
Comment 17•9 years ago
|
||
I suspect that the stack was redeployed an a new role was created. Here is the new arn:
arn:aws:iam::647505682097:role/us-west-2-vpc-VPCOpsecStack-OpSecSecurityAuditRole-16QW1CJWXETEN
Flags: needinfo?(riweiss)
|
|
Reporter | |
Comment 18•9 years ago
|
||
Got it, thanks for the new ARN.
Status: REOPENED → RESOLVED
Closed: 9 years ago → 9 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 19•9 years ago
|
||
Looks like more than just that one were removed or changed. Can you get me new ones for
arn:aws:iam::177680776199:role/opsec-security-audit-role-OpSecSecurityAuditRole-TUW9LMVEM23Y
Status: RESOLVED → REOPENED
Flags: needinfo?(riweiss)
Resolution: FIXED → ---
|
|
Reporter | |
Comment 20•9 years ago
|
||
Also, this account, the IT Prod account, isn't part of this original ticket (it was handled over email). I'm happy to open a different ticket if that makes most sense.
|
|
Assignee | |
Comment 21•9 years ago
|
||
This is the arn for the security audit role in what used to be the Prod account. The account number has not changed, but the name is now called Nubis Lab.
arn:aws:iam::177680776199:role/us-west-2-vpc-VPCOpsecStack-OpSecSecurityAuditRole-14MIT8BIHE6H0
Flags: needinfo?(riweiss)
|
|
Assignee | |
Comment 22•8 years ago
|
||
I'm not sure if this is completed. Can you let me know if I or the Nubis platform team need to do any additional work?
Flags: needinfo?(gene)
|
|
Reporter | |
Comment 23•8 years ago
|
||
Ya, let's close this out as this ticket is about installing the V1 version of our security audit roles. We've moved on to V2 and those installations are being tracked in other tickets.
Status: REOPENED → RESOLVED
Closed: 9 years ago → 8 years ago
Flags: needinfo?(gene)
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•