1242001 - Request for IT CDN to update Infosec security auditing IAM Role and enable CloudTrail

Status: VERIFIED FIXED

(Infrastructure & Operations Graveyard :: WebOps: Other, task)

Description

[Gene Wood [:gene]]

First, thanks so much for granting Infosec (Previously called Opsec and our full name now is Enterprise Information Security) permissions to perform security audits and incident response on your AWS account earlier this year.

369987351092	IT CDN - 1400

We'd like to do two things. First we'd like to have the IAM Roles that you created for us earlier this year in your account updated and secondly we'd like to have CloudTrail enabled in your account and connected to our Mozilla wide secure CloudTrail storage account.

For the first part, the update of the security audit IAM role, we'd like to update the IAM role for a few reasons

* We've migrated all activities related to auditing and incident response of Mozilla accounts to a dedicated AWS account for better separation of concerns. This will improve the security around the entity that you're granting auditing and incident response permissions to.
* We've separated out security auditing and incident response permissions into two distinct roles. This will allow us to grant certain rights to certain systems but not others. Another example of improved security through separation of duties ( https://www.owasp.org/index.php/Separation_of_duties )

Here are the steps to upgrade the IAM Roles

* Delete the old CloudFormation stack that you deployed for us. This stack was probably called "opsec-security-audit-role". You may need to check a few different regions to see where you deployed it. By deleting this stack it will delete the old IAM Role which granted us permission to do security audits.
* Deploy the new CloudFormation stack by following these steps
  * Note : These steps are also outlined in the "Create a Trusting Account using CloudFormation" section here : https://mana.mozilla.org/wiki/display/SECURITY/AWS+Security+Auditing+and+Incident+Response+Services#AWSSecurityAuditingandIncidentResponseServices-CreateaTrustingAccountusingCloudFormation
* Log into their AWS web console in in either the us-west-2 region or the us-east-1 region (the only regions that support AWS Lambda currently)
* Browse to the CloudFormation section
* Click the Create Stack button
*     In the Name field enter something like "InfosecClientRoles"
*     In the Source field select Specify an Amazon S3 template URL and type in
      https://s3.amazonaws.com/infosec-cloudformation-templates/infosec-security-audit-incident-response-roles-cloudformation.json
* Click the Next button
* Deploy the "infosec-security-audit-incident-response-roles-cloudformation.json" template
* On the Options page click the Next button
* On the Review page click the checkbox that says I acknowledge that this template might cause AWS CloudFormation to create IAM resources.
* Click the Create button
* When the CloudFormation stack completes the creation process and the Status field changes from CREATE_IN_PROGRESS to CREATE_COMPLETE.
* Comment in this ticket letting us know the stack was created successfully.

For the second part, the secure CloudTrail storage, we'd like to have you either enable or if enabled re-configure CloudTrail to use our secure CloudTrail storage account.

CloudTrail is an AWS product which creates an audit log of all calls made to the AWS API by your account. For example, when you spin up a new ec2 instance, that call to AWS to RunInstances can be recorded with CloudTrail. This audit log is stored in S3. Here's why you should enable CloudTrail and use the AWS Secure CloudTrail Storage Account

* By enabling CloudTrail, in the event of a security incident, the audit trail created by CloudTrail will help Infosec determine what has been affected and how the account was compromised
* By using the AWS Secure CloudTrail Storage Account instead of storing the CloudTrail logs in your own account you get a few things
  * Firstly it easily allows Infosec to get access to the audit logs in the case of an incident
  * Far more importantly, by storing the logs in a separate, locked down account, in the event of an attacker gaining control of your AWS account, they will be unable to hide their tracks by deleting the CloudTrail logs after they finish. The worst they will be able to do is disable CloudTrail logging (which Infosec security auditing will detect immediately)
* By deploying this CloudFormation template, CloudTrail will be enabled for your account in *all* regions, avoiding the hassle of either manually configuring CloudTrail in every region, or deploying individual CloudTrail stacks in every region.

Here are the steps to begin using the AWS Secure CloudTrail Storage Account

Note these steps are outlined in the "Deploy the CloudFormation template" section of this page : https://mana.mozilla.org/wiki/display/SECURITY/AWS+Secure+CloudTrail+Storage+System#AWSSecureCloudTrailStorageSystem-DeploytheCloudFormationtemplate

1. Browse to AWS CloudFormation in either us-west-2 Oregon, or us-east-1 N. Virginia (the 2 regions that support AWS Lambda) : https://console.aws.amazon.com/cloudformation/home?region=us-west-2
2. Click "Create Stack"
3. Under "Choose a template" select "Specify an Amazon S3 template URL"
4. Enter this URL : https://s3.amazonaws.com/infosec-cloudformation-templates/configure_cloudtrail_to_use_mozilla_secure_storage.json
5. In the "Stack name" field enter "DeployCloudTrailCloudFormationStacks" and click "Next"
6. On the "Options" screen click "Next"
7. On the "Review" screen in the "Capabilities" section, check the checkbox for "I acknowledge that this template might cause AWS CloudFormation to create IAM resources." and click "Create"

To learn how to fetch your CloudTrail logs from the secure storage account or to subscribe to notifications from CloudTrail, read about usage here :
https://mana.mozilla.org/wiki/display/SECURITY/AWS+Secure+CloudTrail+Storage+System#AWSSecureCloudTrailStorageSystem-Usage

Comment 1

[Jake Maul [:jakem]]

The existing CF stack has been deleted. CT was never set up on this account.

The new InfosecClientRoles stack has been created successfully.

The new DeployCloudTrailCloudFormationStacks stack has been created successfully.

This second CF stack in turn created a 3rd stack: MozillaSecuredCloudTrail. It was also created successfully.

Comment 2

[Gene Wood [:gene]]

Looks great, thanks!

> This second CF stack in turn created a 3rd stack: MozillaSecuredCloudTrail.

Indeed. It actually created a MozillaSecuredCloudTrail in every region.

Comment 3

[Gene Wood [:gene]]

Ah shoot, I just noticed that you created two InfosecClientRoles stacks, one in us-west-2 and one in us-east-1. Would you delete one of those stacks (and let me know which one you've deleted)? Since IAM roles are global, we only need on stack deployed.

Comment 4

[Jake Maul [:jakem]]

Done! I'm deleting the us-west-2 stack, just because that means all the OpSec stacks are in us-east-1 for this account.

Comment 5

[Gene Wood [:gene]]

Thanks Jake, looks good.

Comment 6

[Gene Wood [:gene]]

Hey Jake,
   I went and looked and it looks like CloudTrail is not setup in this AWS account.

Can you take a look and tell me:
* Is the CloudFormation stack "DeployCloudTrailCloudFormationStacks" indeed still present in whatever region you deployed it in?
* Do you see also see the "MozillaSecuredCloudTrail" CloudFormation stack?

Comment 7

[Gene Wood [:gene]]

Maybe Atoll can help me with this :

Ok, I figured out what's going on. It looks like the CloudFormation stack which enables CloudTrail was deleted *only* in us-west-2 (probably by accident). All other regions are configured correctly and the parent CloudTrail stack is present in us-east-1.

To fix this please do this :

1. Delete the CloudTrail stack called "DeployCloudTrailCloudFormationStacks" which is deployed in us-east-1
2. This will trigger the deletion of all CloudFormation stacks in all regions (besides us-west-2) called "MozillaSecuredCloudTrail"
3. Deploy the new global CloudTrail CloudFormation stack in any region (e.g. us-east-1 again if you like) using this template https://s3.amazonaws.com/infosec-cloudformation-templates/configure_cloudtrail_to_use_mozilla_secure_storage_globally.json

The mana page that explains this in more detail is here : https://mana.mozilla.org/wiki/display/SECURITY/AWS+Secure+CloudTrail+Storage+System

Comment 8

[Gene Wood [:gene]]

Part of the confusion about Comment 7 is that I wrote "1. Delete the CloudTrail stack called ..." which makes no sense (there is no such thing as a "CloudTrail stack").

What I should have said was "1. Delete the CloudFormation stack called ...".

Comment 9

[Shyam Mani [:fox2mike]]

Did the following :

aws --profile cdn --region us-east-1 cloudformation list-stacks
aws --profile cdn --region us-east-1 cloudformation delete-stack --stack-name DeployCloudTrailCloudFormationStacks

Waited for deletion to complete, then...

aws --profile cdn --region us-east-1 cloudformation create-stack --stack-name MozillaGlobalSecureCloudTrailStorage --template-url https://s3.amazonaws.com/infosec-cloudformation-templates/configure_cloudtrail_to_use_mozilla_secure_storage_globally.json 

Gene oversaw all of this, so we should be good to go :)