First, thanks so much for granting Infosec (Previously called Opsec and our full name now is Enterprise Information Security) permissions to perform security audits and incident response on your AWS account earlier this year. 461454502437 Mozilla Platform Fuzzing Team - 8430 We'd like to do two things. First we'd like to have the IAM Roles that you created for us earlier this year in your account updated and secondly we'd like to have CloudTrail enabled in your account and connected to our Mozilla wide secure CloudTrail storage account. For the first part, the update of the security audit IAM role, we'd like to update the IAM role for a few reasons * We've migrated all activities related to auditing and incident response of Mozilla accounts to a dedicated AWS account for better separation of concerns. This will improve the security around the entity that you're granting auditing and incident response permissions to. * We've separated out security auditing and incident response permissions into two distinct roles. This will allow us to grant certain rights to certain systems but not others. Another example of improved security through separation of duties ( https://www.owasp.org/index.php/Separation_of_duties ) Here are the steps to upgrade the IAM Roles * Delete the old CloudFormation stack that you deployed for us. This stack was probably called "opsec-security-audit-role". You may need to check a few different regions to see where you deployed it. By deleting this stack it will delete the old IAM Role which granted us permission to do security audits. * Deploy the new CloudFormation stack by following these steps * Note : These steps are also outlined in the "Create a Trusting Account using CloudFormation" section here : https://mana.mozilla.org/wiki/display/SECURITY/AWS+Security+Auditing+and+Incident+Response+Services#AWSSecurityAuditingandIncidentResponseServices-CreateaTrustingAccountusingCloudFormation * Log into their AWS web console in in either the us-west-2 region or the us-east-1 region (the only regions that support AWS Lambda currently) * Browse to the CloudFormation section * Click the Create Stack button * In the Name field enter something like "InfosecClientRoles" * In the Source field select Specify an Amazon S3 template URL and type in https://s3.amazonaws.com/infosec-cloudformation-templates/infosec-security-audit-incident-response-roles-cloudformation.json * Click the Next button * Deploy the "infosec-security-audit-incident-response-roles-cloudformation.json" template * On the Options page click the Next button * On the Review page click the checkbox that says I acknowledge that this template might cause AWS CloudFormation to create IAM resources. * Click the Create button * When the CloudFormation stack completes the creation process and the Status field changes from CREATE_IN_PROGRESS to CREATE_COMPLETE. * Comment in this ticket letting us know the stack was created successfully. For the second part, the secure CloudTrail storage, we'd like to have you either enable or if enabled re-configure CloudTrail to use our secure CloudTrail storage account. CloudTrail is an AWS product which creates an audit log of all calls made to the AWS API by your account. For example, when you spin up a new ec2 instance, that call to AWS to RunInstances can be recorded with CloudTrail. This audit log is stored in S3. Here's why you should enable CloudTrail and use the AWS Secure CloudTrail Storage Account * By enabling CloudTrail, in the event of a security incident, the audit trail created by CloudTrail will help Infosec determine what has been affected and how the account was compromised * By using the AWS Secure CloudTrail Storage Account instead of storing the CloudTrail logs in your own account you get a few things * Firstly it easily allows Infosec to get access to the audit logs in the case of an incident * Far more importantly, by storing the logs in a separate, locked down account, in the event of an attacker gaining control of your AWS account, they will be unable to hide their tracks by deleting the CloudTrail logs after they finish. The worst they will be able to do is disable CloudTrail logging (which Infosec security auditing will detect immediately) * By deploying this CloudFormation template, CloudTrail will be enabled for your account in *all* regions, avoiding the hassle of either manually configuring CloudTrail in every region, or deploying individual CloudTrail stacks in every region. Here are the steps to begin using the AWS Secure CloudTrail Storage Account Note these steps are outlined in the "Deploy the CloudFormation template" section of this page : https://mana.mozilla.org/wiki/display/SECURITY/AWS+Secure+CloudTrail+Storage+System#AWSSecureCloudTrailStorageSystem-DeploytheCloudFormationtemplate 1. Browse to AWS CloudFormation in either us-west-2 Oregon, or us-east-1 N. Virginia (the 2 regions that support AWS Lambda) : https://console.aws.amazon.com/cloudformation/home?region=us-west-2 2. Click "Create Stack" 3. Under "Choose a template" select "Specify an Amazon S3 template URL" 4. Enter this URL : https://s3.amazonaws.com/infosec-cloudformation-templates/configure_cloudtrail_to_use_mozilla_secure_storage.json 5. In the "Stack name" field enter "DeployCloudTrailCloudFormationStacks" and click "Next" 6. On the "Options" screen click "Next" 7. On the "Review" screen in the "Capabilities" section, check the checkbox for "I acknowledge that this template might cause AWS CloudFormation to create IAM resources." and click "Create" To learn how to fetch your CloudTrail logs from the secure storage account or to subscribe to notifications from CloudTrail, read about usage here : https://mana.mozilla.org/wiki/display/SECURITY/AWS+Secure+CloudTrail+Storage+System#AWSSecureCloudTrailStorageSystem-Usage
Al, I'd like to add a clarification to these instructions which confused some other folks. For the security auditing and incident response IAM Roles, you only need to deploy the CloudFormation template in a single region (either us-west-2 or us-east-1 but not both). This single CloudFormation stack will enable security auditing for your account in *all* regions. The same goes for the CloudTrail CloudFormation template. It only needs to be deployed in a single region (either us-west-2 or us-east-1 but not both). The stack will in turn (on it's own) create a "sub-stack" in every region to enable CloudTrail. So, in summary, you should be deploying in total 2 CloudFormation templates. The first to enable security auditing, the second to enable CloudTrail.
Al, do you know when you or someone on your team would be able to get to this?
I talked to Al on IRC today and he said he's take care of it this week 1:22 PM <•abillings> I’ll do it this week for sure 1:22 PM <•abillings> it has been on “to do” 1:22 PM <•abillings> but you know how it goes 1:22 PM <gene> ok, thanks very much. Ya I understand 1:23 PM <•abillings> try to get it done by Wednesday
Al, any luck back on Feb 10th?
I've setup a time next week Tuesday where we can meet and get this taken care of. You've got a calendar invite in your inbox.
Here is the updated CloudTrail template : https://s3.amazonaws.com/infosec-cloudformation-templates/configure_cloudtrail_to_use_mozilla_secure_storage_globally.json
Thanks Al, got everything setup and working.