Closed Bug 1312838 Opened 8 years ago Closed 8 years ago

Revocation of s3 credentials

Categories

(Testing :: General, defect)

Product:
Testing
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bryce, Assigned: glob)

Details

I'm retiring several machines the I inherited the care of. These machines contained credentials for the 'platformqa' and 'platformqa-dev' buckets that I think should now be revoked. As I wasn't involved in the setup of these machines, I am uncertain as to if these keys are used by other machines. I have no reason to believe they are, but in the interest in erring on the side of caution, I'd like to make sure they are not being used anywhere else.
I don't think they're used anywhere else. They were set up specifically for jobs running in that Jenkins instance.
(In reply to Bryce Van Dyk (:SingingTree) from Bug 1302427 comment #40) > :claudijd - The pf-jenkins.qa.mtv2.mozilla.com instance should no longer be > reachable. More than that all of the hosts detailed here should now be > terminated: > https://wiki.mozilla.org/Auto-tools/Projects/Platform_Quality/ > Jenkins_Machine_Inventory. > > I'm also seeking revocation of s3 creds relating to 'platformqa' and > 'platformqa-dev', in case these credentials were also shared.
Assignee: nobody → glob
do you want me to just revoke the credentials (resulting in the s3 buckets continuing to exist, but effectively read-only), or do you want me to also delete the buckets and their contents? as determining legitimate usage is tricky (especially if it's been discovered by web indexers) i propose disabling the two users and denying public access to the buckets. if no one complains after a week we pull the plug.
Flags: needinfo?(bvandyk)
Disabling and seeing if any issues arise sounds good, let's try that out.
Flags: needinfo?(bvandyk)
public access to platformqa and platformqa-dev denied (via editing the bucket policy) platformqa-s3_read-write and platformqa-dev-s3_read-write policies updated. all updates involved s/Allow/Deny/g
SingingTree, anyone complained?
Flags: needinfo?(bvandyk)
Haven't heard any displeasure on my end. None of the remaining tests that I oversee have broken or caught fire after the change. So from my perspective I'm good with a more permanent disabling. Deleting the buckets sounds sensible. They hold test run data to the best of my knowledge, but I don't believe I or anyone else on the media team needs it to be persisted.
Flags: needinfo?(bvandyk)
platformqa and platformqa-dev users deleted. platformqa and platformqa-dev s3 buckets and contents deleted.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.