Closed
Bug 1216784
Opened 9 years ago
Closed 8 years ago
Update opsec security auditor CloudFormation stack in nubis accounts
Categories
(Infrastructure & Operations :: SRE, task)
Infrastructure & Operations
SRE
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: gene, Assigned: gozer)
References
Details
Please Update Stack the existing OpSec Security Audit Trusting Role CloudFormation stacks in each nubis AWS account with this new version https://s3-us-west-2.amazonaws.com/opsec-cloudformation-templates/opsec-security-audit-trusting-role-cloudformation.json This will bring the stacks to version 1.1.0 https://github.com/mozilla/security/tree/aws-security-auditor-v1.1.0 Which will expand that permitted roles in the moz-opsec AWS account from the single previously permitted role of arn:aws:iam::656532927350:role/OpSecTrustedAuditor to all roles in the moz-opsec AWS account This will enable multiple tools which require different combinations of local and remote permissions to audit Mozilla AWS accounts. In the 2.0 release upcoming the single auditing role will be broken up into, multiple, more granular, roles to enable us to better constrain each tool to only have the permissions it needs instead of the union of permissions that all tools need.
Reporter | ||
Comment 1•9 years ago
|
||
:jd writes 4:59 PM <jd> gene: I am looking at this new opsec security audit roll template and it looks identical to the one we currently have deployed, can you either tell me what the differences are or file a pull request against the one we are deploying here https://github.com/nubisproject/nubis-stacks/blob/master/vpc/vpc-opsec.template ? Here's the change in v1.1.0 https://github.com/mozilla/security/commit/74d26811f39294210c51acd842e214031c3fc874
Comment 2•9 years ago
|
||
Done https://github.com/nubisproject/nubis-stacks/pull/197 This will get picked up the next time we roll the VPCs (within a few days I imagine)
Reporter | ||
Comment 3•9 years ago
|
||
Sweet, thanks. Can you comment/resolve here when it's deployed?
Comment 4•9 years ago
|
||
You bet
Assignee | ||
Comment 5•8 years ago
|
||
Not sure if this bug should be resolved, as there is now also bug 1232086 In any case, latest OpSec CF stack has been merged in: https://github.com/nubisproject/nubis-stacks/pull/279
Reporter | ||
Comment 6•8 years ago
|
||
Ah ya, I didn't know that this had been deployed last year. Ya, I'll close this out as resolved.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•