Closed Bug 1216784 Opened 9 years ago Closed 8 years ago

Update opsec security auditor CloudFormation stack in nubis accounts

Categories

(Infrastructure & Operations :: SRE, task)

Product:
Infrastructure & Operations
Component:
SRE
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gene, Assigned: gozer)

References

Details

Please Update Stack the existing OpSec Security Audit Trusting Role CloudFormation stacks in each nubis AWS account with this new version

https://s3-us-west-2.amazonaws.com/opsec-cloudformation-templates/opsec-security-audit-trusting-role-cloudformation.json

This will bring the stacks to version 1.1.0

https://github.com/mozilla/security/tree/aws-security-auditor-v1.1.0

Which will expand that permitted roles in the moz-opsec AWS account from the single previously permitted role of

arn:aws:iam::656532927350:role/OpSecTrustedAuditor

to all roles in the moz-opsec AWS account

This will enable multiple tools which require different combinations of local and remote permissions to audit Mozilla AWS accounts.

In the 2.0 release upcoming the single auditing role will be broken up into, multiple, more granular, roles to enable us to better constrain each tool to only have the permissions it needs instead of the union of permissions that all tools need.
:jd writes

4:59 PM <jd> gene: I am looking at this new opsec security audit roll template and it looks identical to the one we currently have deployed, can you either tell me what the differences are or file a pull request against the one we are deploying here https://github.com/nubisproject/nubis-stacks/blob/master/vpc/vpc-opsec.template ?

Here's the change in v1.1.0

https://github.com/mozilla/security/commit/74d26811f39294210c51acd842e214031c3fc874
Done

https://github.com/nubisproject/nubis-stacks/pull/197

This will get picked up the next time we roll the VPCs (within a few days I imagine)
Sweet, thanks. Can you comment/resolve here when it's deployed?
You bet
Blocks: 1217976
Depends on: 1232086
Not sure if this bug should be resolved, as there is now also bug 1232086

In any case, latest OpSec CF stack has been merged in:
https://github.com/nubisproject/nubis-stacks/pull/279
Ah ya, I didn't know that this had been deployed last year. Ya, I'll close this out as resolved.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.