Closed Bug 1525717 Opened 5 years ago Closed 5 years ago

2019 Mozilla AWS Security Refresh : Update your CloudFormation stacks for partinfra

Categories

(Community Building :: Systems and Data, task)

task
Not set
normal

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: gene, Assigned: nemo-yiannis)

References

Details

Mozilla Enterprise Information Security (EIS) has an update to the security features we provide for your AWS account. You previously deployed the InfosecClientRoles into your account to enable EIS to perform security audits on your account and do security incident response in the case of a security breach.

We have a new CloudFormation template that we'd like to have you update to in order to

  • grant additional security auditing read permissions
  • change incident response to a role trusting a dedicated incident response AWS account
  • enable AWS GuardDuty threat detection service and wire it up to the Mozilla Defense Platform (MozDef)

There are many specifics if you're interested in the README

What we'd like you to do is update your existing CloudFormation stack

  • AWS account ID : 484535289196
  • AWS region : us-west-2
  • CloudFormation stack name : InfosecClientRoles

with the new template. Here's how

Update your existing stack

You can either do the update in the AWS web console or on the command line with
the awscli tool. You'll be doing a CloudFormation stack update to a new template.

Update in the web console

  • Browse to the CloudFormation section

  • Select the InfosecClientRoles stack by checking the check
    circle next to it

  • In the Actions drop down in the upper right select Update Stack

  • Click the Next button

  • Enter an optional email address to receive notifications at of use of the incident
    response role

  • On the Specify stack details click the Next button

  • On the Configure stack options page click the Next button

  • On the Review page click the checkbox that says I acknowledge that AWS CloudFormation might create IAM resources.

  • Click the Update stack button

  • When the CloudFormation stack completes the creation process and the Status
    field changes from UPDATE_IN_PROGRESS to UPDATE_COMPLETE you're done.

Update on the command line

  • Set the EMAIL_ADDRESS that you'd like to receive notifications at if/when the
    incident response role is ever used. Note : EIS is always notified if the
    incident response role is ever used.
  • The STACK_NAME below is set to your existing InfosecClientRoles stack name
  • The REGION below is region in which your existing stack is deployed
EMAIL_ADDRESS=example@example.com
STACK_NAME=InfosecClientRoles
REGION=us-west-2
AWS_DEFAULT_REGION=${REGION} aws cloudformation update-stack \
  --stack-name ${STACK_NAME} \
  --template-url https://s3.amazonaws.com/public.us-west-2.infosec.mozilla.org/infosec-security-roles/cf/infosec-security-audit-incident-response-guardduty-roles-cloudformation.yml \
  --parameters ParameterKey=EmailAddress,ParameterValue=${EMAIL_ADDRESS} \
  --capabilities CAPABILITY_IAM

How do you like to be contacted?

Finally, if in the future you'd like to be contacted through a different channel
(GitHub issue, Bugzilla ticket, ServiceNow, email, etc) for this type of thing
or if there's a better person or place to make this request, do let us know.

:nemo-yiannis, could you help me with this stack update?

Flags: needinfo?(jgiannelos)
Assignee: nobody → jgiannelos
Flags: needinfo?(jgiannelos)
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
See Also: → 1627820
You need to log in before you can comment on or make changes to this bug.