Update opsec security auditor CloudFormation stack in nubis accounts

RESOLVED FIXED

Status

Infrastructure & Operations
Infrastructure: AWS
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: gene, Assigned: gozer)

Tracking

Details

(Reporter)

Description

2 years ago
Please Update Stack the existing OpSec Security Audit Trusting Role CloudFormation stacks in each nubis AWS account with this new version

https://s3-us-west-2.amazonaws.com/opsec-cloudformation-templates/opsec-security-audit-trusting-role-cloudformation.json

This will bring the stacks to version 1.1.0

https://github.com/mozilla/security/tree/aws-security-auditor-v1.1.0

Which will expand that permitted roles in the moz-opsec AWS account from the single previously permitted role of

arn:aws:iam::656532927350:role/OpSecTrustedAuditor

to all roles in the moz-opsec AWS account

This will enable multiple tools which require different combinations of local and remote permissions to audit Mozilla AWS accounts.

In the 2.0 release upcoming the single auditing role will be broken up into, multiple, more granular, roles to enable us to better constrain each tool to only have the permissions it needs instead of the union of permissions that all tools need.
(Reporter)

Comment 1

2 years ago
:jd writes

4:59 PM <jd> gene: I am looking at this new opsec security audit roll template and it looks identical to the one we currently have deployed, can you either tell me what the differences are or file a pull request against the one we are deploying here https://github.com/nubisproject/nubis-stacks/blob/master/vpc/vpc-opsec.template ?

Here's the change in v1.1.0

https://github.com/mozilla/security/commit/74d26811f39294210c51acd842e214031c3fc874

Comment 2

2 years ago
Done

https://github.com/nubisproject/nubis-stacks/pull/197

This will get picked up the next time we roll the VPCs (within a few days I imagine)
(Reporter)

Comment 3

2 years ago
Sweet, thanks. Can you comment/resolve here when it's deployed?

Comment 4

2 years ago
You bet
(Reporter)

Updated

2 years ago
Blocks: 1217976
(Assignee)

Updated

2 years ago
Depends on: 1232086
(Assignee)

Comment 5

2 years ago
Not sure if this bug should be resolved, as there is now also bug 1232086

In any case, latest OpSec CF stack has been merged in:
https://github.com/nubisproject/nubis-stacks/pull/279
(Reporter)

Comment 6

2 years ago
Ah ya, I didn't know that this had been deployed last year. Ya, I'll close this out as resolved.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.