Request for firefox-customs-prod AWS SQS IAM Role

RESOLVED WONTFIX

Status

Cloud Services
Operations
RESOLVED WONTFIX
a year ago
7 months ago

People

(Reporter: gene, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

a year ago
Currently MozDef sends messages to the fxa-customs-prod SQS queue using an AWS API Key associated with an IAM user in a Cloud Services AWS account. That API key ID is 

AKIAJM6ZSURHQ4K63T6Q

though I'm unsure of the user associated with that key.

Would you be open to establishing an IAM Role that infosec could use instead of this IAM user? By my read of how we use this user, the role would look something like what's below. This would allow us to get rid of the user and move to a better role based model.

{
  "AWSTemplateFormatVersion":"2010-09-09",
  "Description":"Create Infosec role to send messages to fxa-customs-prod",
  "Parameters":{

  },
  "Resources":{
    "Role":{
      "Type":"AWS::IAM::Role",
      "Properties":{
        "RoleName": "fxa-customs-prod-sender",
        "AssumeRolePolicyDocument":{
          "Version":"2012-10-17",
          "Statement":[
            {
              "Effect":"Allow",
              "Principal":{
                "AWS": [
                  "arn:aws:iam::371522382791:root",
                  "arn:aws:iam::656532927350:root"
                ]
              },
              "Action":[
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Policies":[ {
           "PolicyName": "root",
           "PolicyDocument": {
              "Version" : "2012-10-17",
              "Statement": [ {
                 "Effect": "Allow",
                 "Action": [
                    "sqs:SendMessage*",
                    "sqs:GetQueue*"
                  ],
                  "Resource": { "Fn::Join" : [ "", [ "arn:aws:sqs:us-west-2:", { "Ref" : "AWS::AccountId" }, ":fxa-customs-prod" ] ] }
              } ]
           }
        } ]
      }
    }
  },
  "Outputs":{
    "RoleARN":{
      "Description":"The IAM Role Arn",
      "Value":{"Fn::GetAtt" : ["Role", "Arn"] }
    }
  }
}
(Reporter)

Updated

a year ago
Blocks: 1343384
(Reporter)

Comment 1

11 months ago
:ulfr, could someone on your team take a look at this next week?
Flags: needinfo?(jvehent)

Comment 2

9 months ago
FxA customs server is not currently configured to consume this queue, so this integration is essentially inactive.
I propose to kill it entirely, and have mozdef publish suspicious IPs to tigerblood [1] instead, which uses HTTP POSTs to a public API.

[1] https://mana.mozilla.org/wiki/display/SVCOPS/IP+Reputation+architecture
Flags: needinfo?(jvehent)
[:ulfr] is tigerblood live?
Flags: needinfo?(jvehent)

Comment 4

8 months ago
It is. Greg runs it.
Flags: needinfo?(jvehent)

Comment 5

8 months ago
Yep, let me know if you need API keys. We have node.js, lua, and python client libraries and I can write more as necessary.

https://mana.mozilla.org/wiki/pages/viewpage.action?pageId=61942775
OK, thanks. The mana page tells me what it's made of but not much about what it does or how it is to be used. Greg, can you set up a meeting for folks to get acquainted with tigerblood? (me/michal`/kang/tristan). We likely need api keys for stage/prod (2 or 4?) and the python client.

In the meantime, I'll close this bug.
Status: NEW → RESOLVED
Last Resolved: 8 months ago
Resolution: --- → WONTFIX

Comment 7

8 months ago
+1 sure thing. Scheduled for Wed 6-7pm ET / 3-4pm PT.
(Reporter)

Comment 8

7 months ago
Note for future me finding this ticket :

The MozDef piece of this has been torn down and the API key is no longer in use

https://github.com/mozilla/MozDef/pull/418
You need to log in before you can comment on or make changes to this bug.