Closed Bug 1527931 Opened 6 years ago Closed 6 years ago

EIS read access to Pocket AWS Organization

Categories

(Pocket :: getpocket.com, enhancement)

x86_64
Linux
enhancement
Not set
normal

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: gene, Assigned: digi)

Details

Hey :digi,
Please deploy a cloudformation stack in the pocket-readitlater AWS account which is the Organization / consolidated billing parent of all Pocket accounts

This is the template

https://s3.amazonaws.com/infosec-cloudformation-templates/organization-reader-iam-role.json

This will delegate rights from the mofo-ops AWS account to the Enterprise Information Security "infosec-prod" AWS account allowing us to do read operations on the "organizations" product in mofo-ops. This will allow us to list the AWS accounts within MoFo so we know when our security services (auditing, guardduty, incident response, etc) are missing

I've created a stack with this role in our pocket-readitlater account. Please let me know if you need anything else.

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED

:digi,
This is not urgent, but are you open to granting this same Organization read permission to the Firefox Services security and operations team. We work with them and enabling all 4 AWS domains (Mofo, Moco, Firefox Services, Pocket) to access this information would be useful. If you also had this need I could coordinate granting it across the other 3 domains (if not no worries)

Anyhow, if that sounds good (granting Firefox services AWS Organization read permissions), would you do a CloudFormation stack update to your existing stack that creates the role and use this updated template that grants them rights?

https://s3.amazonaws.com/infosec-cloudformation-templates/organization-reader-iam-role.yml

(Note : I've switched from JSON to YAML)

Status: RESOLVED → REOPENED
Flags: needinfo?(bhourigan)
Resolution: FIXED → ---

(In reply to Gene Wood [:gene] from comment #2)

:digi,
This is not urgent, but are you open to granting this same Organization
read permission to the Firefox Services security and operations team. We
work with them and enabling all 4 AWS domains (Mofo, Moco, Firefox Services,
Pocket) to access this information would be useful. If you also had this
need I could coordinate granting it across the other 3 domains (if not no
worries)

Yes. Matt, are you ok with this?

Flags: needinfo?(bhourigan) → needinfo?(matt)

:digi :gene Apologies for delay. I am comfortable with read access here.

Flags: needinfo?(matt)

(In reply to Matt Koidin from comment #4)

:digi :gene Apologies for delay. I am comfortable with read access here.

No problem, thanks!

(In reply to Gene Wood [:gene] from comment #2)

:digi,
Anyhow, if that sounds good (granting Firefox services AWS Organization read
permissions), would you do a CloudFormation stack update to your existing
stack that creates the role and use this updated template that grants them
rights?

Done

Status: REOPENED → RESOLVED
Closed: 6 years ago6 years ago
Resolution: --- → FIXED

Thanks!

This makes the new role ARN

arn:aws:iam::996905175585:role/Organization-Reader

Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.