EIS read access to Pocket AWS Organization
Categories
(Pocket :: getpocket.com, enhancement)
Tracking
(Not tracked)
People
(Reporter: gene, Assigned: digi)
Details
Hey :digi,
Please deploy a cloudformation stack in the pocket-readitlater AWS account which is the Organization / consolidated billing parent of all Pocket accounts
This is the template
https://s3.amazonaws.com/infosec-cloudformation-templates/organization-reader-iam-role.json
This will delegate rights from the mofo-ops AWS account to the Enterprise Information Security "infosec-prod" AWS account allowing us to do read operations on the "organizations" product in mofo-ops. This will allow us to list the AWS accounts within MoFo so we know when our security services (auditing, guardduty, incident response, etc) are missing
Assignee | ||
Comment 1•6 years ago
|
||
I've created a stack with this role in our pocket-readitlater account. Please let me know if you need anything else.
Reporter | ||
Comment 2•6 years ago
|
||
:digi,
This is not urgent, but are you open to granting this same Organization read permission to the Firefox Services security and operations team. We work with them and enabling all 4 AWS domains (Mofo, Moco, Firefox Services, Pocket) to access this information would be useful. If you also had this need I could coordinate granting it across the other 3 domains (if not no worries)
Anyhow, if that sounds good (granting Firefox services AWS Organization read permissions), would you do a CloudFormation stack update to your existing stack that creates the role and use this updated template that grants them rights?
https://s3.amazonaws.com/infosec-cloudformation-templates/organization-reader-iam-role.yml
(Note : I've switched from JSON to YAML)
Assignee | ||
Comment 3•6 years ago
|
||
(In reply to Gene Wood [:gene] from comment #2)
:digi,
This is not urgent, but are you open to granting this same Organization
read permission to the Firefox Services security and operations team. We
work with them and enabling all 4 AWS domains (Mofo, Moco, Firefox Services,
Pocket) to access this information would be useful. If you also had this
need I could coordinate granting it across the other 3 domains (if not no
worries)
Yes. Matt, are you ok with this?
Comment 4•6 years ago
|
||
:digi :gene Apologies for delay. I am comfortable with read access here.
Assignee | ||
Comment 5•6 years ago
|
||
(In reply to Matt Koidin from comment #4)
:digi :gene Apologies for delay. I am comfortable with read access here.
No problem, thanks!
(In reply to Gene Wood [:gene] from comment #2)
:digi,
Anyhow, if that sounds good (granting Firefox services AWS Organization read
permissions), would you do a CloudFormation stack update to your existing
stack that creates the role and use this updated template that grants them
rights?
Done
Reporter | ||
Comment 6•6 years ago
|
||
Thanks!
This makes the new role ARN
arn:aws:iam::996905175585:role/Organization-Reader
Description
•