2019 Mozilla AWS Security Refresh : Update your CloudFormation stacks for project-link
Categories
(developer.mozilla.org Graveyard :: General, defect)
Tracking
(Not tracked)
People
(Reporter: gene, Unassigned)
References
Details
Mozilla Enterprise Information Security (EIS) has an update to the security features we provide for your AWS account. You previously deployed the InfosecClientRoles into your account to enable EIS to perform security audits on your account and do security incident response in the case of a security breach.
We have a new CloudFormation template that we'd like to have you update to in order to
- grant additional security auditing read permissions
- change incident response to a role trusting a dedicated incident response AWS account
- enable AWS GuardDuty threat detection service and wire it up to the Mozilla Defense Platform (MozDef)
There are many specifics if you're interested in the README
What we'd like you to do is update your existing CloudFormation stack
- AWS account ID : 884003976652
- AWS region : us-east-1
- CloudFormation stack name : InfosecSecurityAuditRoles
with the new template. Here's how
Update your existing stack
You can either do the update in the AWS web console or on the command line with
the awscli tool. You'll be doing a CloudFormation stack update to a new template.
Update in the web console
-
Browse to the CloudFormation section
-
Select the
InfosecSecurityAuditRolesstack by checking the check
circle next to it -
In the
Actionsdrop down in the upper right selectUpdate Stack-
On the
Prerequisite - Prepare templatescreen selectReplace current template -
In the
Amazon S3 URLfield enter
-
-
Click the
Nextbutton -
Enter an optional email address to receive notifications at of use of the incident
response role -
On the
Specify stack detailsclick theNextbutton -
On the
Configure stack optionspage click theNextbutton -
On the
Reviewpage click the checkbox that saysI acknowledge that AWS CloudFormation might create IAM resources. -
Click the
Update stackbutton -
When the CloudFormation stack completes the creation process and the
Status
field changes fromUPDATE_IN_PROGRESStoUPDATE_COMPLETEyou're done.
Update on the command line
- Set the EMAIL_ADDRESS that you'd like to receive notifications at if/when the
incident response role is ever used. Note : EIS is always notified if the
incident response role is ever used. - The STACK_NAME below is set to your existing InfosecClientRoles stack name
- The REGION below is region in which your existing stack is deployed
EMAIL_ADDRESS=example@example.com
STACK_NAME=InfosecSecurityAuditRoles
REGION=us-east-1
AWS_DEFAULT_REGION=${REGION} aws cloudformation update-stack \
--stack-name ${STACK_NAME} \
--template-url https://s3.amazonaws.com/public.us-west-2.infosec.mozilla.org/infosec-security-roles/cf/infosec-security-audit-incident-response-guardduty-roles-cloudformation.yml \
--parameters ParameterKey=EmailAddress,ParameterValue=${EMAIL_ADDRESS} \
--capabilities CAPABILITY_IAM
How do you like to be contacted?
Finally, if in the future you'd like to be contacted through a different channel
(GitHub issue, Bugzilla ticket, ServiceNow, email, etc) for this type of thing
or if there's a better person or place to make this request, do let us know.
|
Reporter | |
Comment 1•6 years ago
|
||
:hobinjk could you help me with this stack update?
|
||
Comment 2•6 years ago
|
||
:gene,
We're working with IT to maintain the MDN infrastructure, and tracking public work in GitHub issues:
https://github.com/mdn/infra/issues/198
I think Ed Lim is best for fulfilling this request. Can he get started later in February when he is back in the office?
|
|
Reporter | |
Comment 3•6 years ago
|
||
Sounds, good I'll track it in the GitHub issue and use GitHub in the future for this AWS account.
I'll work with Ed on it
|
|
Reporter | |
Comment 4•6 years ago
|
||
:jwhitlock It looks like you opened that GitHub issue under MDN, but this ticket is requesting a change to the 884003976652 "project-link" account.
Was that just a mistake and project-link isn't related to MDN or is there something I'm overlooking?
|
|
||
Comment 5•6 years ago
|
||
I do not know what project-link is. What made you think developer.mozilla.org or hobinjk?
|
||
Comment 6•6 years ago
|
||
The project-link account is used by the IoT team for some of our infrastructure, I can look into whether my account has the necessary permissions on Monday. If not, I'll bring this up in our team meeting.
|
|
Reporter | |
Comment 7•6 years ago
|
||
What made you think developer.mozilla.org or hobinjk?
:jwhitlock, :hobinjk is one of the people who has an IAM user in the project-link 884003976652 AWS account and which has been active most recently in the account. That was the only reason I needinfo'd him in Comment 1
I opened it in this component as it was the closest I could find as there was no link component. This was the component where :hobinjk seemed to do his work
:hobinjk Thanks so much, if you have trouble logging into the account let me know.
:limed It looks like you don't have a user in this account. The admins are
andrenatal
benfrancis
dhylands
hobinjk
mrstegeman
|
|
||
Comment 8•6 years ago
|
||
project-link isn't part of MDN, so disregard my comments on using mdn/infra for this project. limed provides SRE support for MDN, and isn't appropriate to work on this bug. Sorry for roping you into this one, Ed.
It looks like FoxBox never established a Bugzilla product, and related bugs like bug 1246178 have moved to the Cloud Services Graveyard. I suggest moving this to a component monitored by Mozilla Enterprise Information Security.
|
|
Reporter | |
Comment 9•6 years ago
|
||
or :dhylands, could you help me with this (Comment 0), I'm not having luck reaching hobinjk.
|
|
||
Comment 10•6 years ago
|
||
Sorry for not updating the bug! I performed the requested migrations this Monday. Let me know if you need anything else.
|
|
Reporter | |
Comment 11•6 years ago
|
||
:hobinjk oh sweet, perfect, thank you! Yup, looks good.
|
||
Updated•4 years ago
|
Description
•