Update mozdef cloudtrail2mozdef cron job to query accounts for CloudTrail configurations

RESOLVED FIXED

Status

Enterprise Information Security
General
RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: gene, Assigned: gene)

Tracking

Details

(Assignee)

Description

2 years ago
Once Bug 1216784 is done, update the tool and remove the "HACK"

https://github.com/jeffbryner/MozDef/blob/204577667029385d96b0e2357b245b80fd7870eb/cron/cloudtrail2mozdef.py#L35
Component: Operations Security (OpSec): General → General
Product: mozilla.org → Enterprise Information Security
(Assignee)

Updated

a year ago
Duplicate of this bug: 1313395
Could you take a look at the code and tell if it is safe to remove that hack?
(Assignee)

Comment 3

a year ago
:michal writes

> I'd like to understand what this hack did and if we should disable it?

Sure thing. The hack was to workaround the fact that the initial security audit roles which nubis created did not grant permissions broadly enough to enable us to query their account to determine which S3 bucket their CloudTrail trails were depositing logs into. As it was taking a long time to get the new security audit roles deployed in nubis which would solve this problem I added the "HACK" you see in the code which hard codes the name of the S3 bucket instead of dynamically querying for it.

Now that the new security audit roles are in place if we remove the hack the code should now dynamically query the nubis accounts to find the name of the S3 bucket and work the same as it does now (but be less brittle without a hard coded value in the code)
(Assignee)

Comment 4

a year ago
I've create this PR which removes the hack

https://github.com/mozilla/MozDef/pull/381
Status: ASSIGNED → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.