Please Update Stack the existing OpSec Security Audit Trusting Role CloudFormation stacks in each nubis AWS account with this new version https://s3-us-west-2.amazonaws.com/opsec-cloudformation-templates/opsec-security-audit-trusting-role-cloudformation.json This will bring the stacks to version 1.1.0 https://github.com/mozilla/security/tree/aws-security-auditor-v1.1.0 Which will expand that permitted roles in the moz-opsec AWS account from the single previously permitted role of arn:aws:iam::656532927350:role/OpSecTrustedAuditor to all roles in the moz-opsec AWS account This will enable multiple tools which require different combinations of local and remote permissions to audit Mozilla AWS accounts. In the 2.0 release upcoming the single auditing role will be broken up into, multiple, more granular, roles to enable us to better constrain each tool to only have the permissions it needs instead of the union of permissions that all tools need.
:jd writes 4:59 PM <jd> gene: I am looking at this new opsec security audit roll template and it looks identical to the one we currently have deployed, can you either tell me what the differences are or file a pull request against the one we are deploying here https://github.com/nubisproject/nubis-stacks/blob/master/vpc/vpc-opsec.template ? Here's the change in v1.1.0 https://github.com/mozilla/security/commit/74d26811f39294210c51acd842e214031c3fc874
Done https://github.com/nubisproject/nubis-stacks/pull/197 This will get picked up the next time we roll the VPCs (within a few days I imagine)
Sweet, thanks. Can you comment/resolve here when it's deployed?
Not sure if this bug should be resolved, as there is now also bug 1232086 In any case, latest OpSec CF stack has been merged in: https://github.com/nubisproject/nubis-stacks/pull/279
Ah ya, I didn't know that this had been deployed last year. Ya, I'll close this out as resolved.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.