Open bwbaker1 opened 1 month ago
@wrynearson Current deadline is August 23, but can probably get this extended if needed.
Thanks @bwbaker1. @jjfrench, could you look into this when you have time?
cc @sunu
Still waiting for APT AWS access
@bwbaker1 we're blocked on production releases until @jjfrench gets access
Never mind, @jjfrench now has access
Sorry, just now getting time to address this. We just need to add a cert for these CloudFront distributions to use - is there one we should be importing for an already existing domain? i.e. since this routes to https://www.earthdata.nasa.gov/apt/ should we be using the www.earthdata.nasa.gov cert? (wherever that may be)
@ChrisPhillips1024 Do you know the answer to this?
@bwbaker1 might know the answer to that, or could tag the person who would.
@ChrisPhillips1024 , not sure if editing the comment above notified you - Do you know how we should proceed with applying a cert?
Sorry, I didn't see the notification to this post. I JUST tracked down the method for generating these certs. I got one set up in the Misc-Prod account for impact.earthdata.nasa.gov for their 3 CFs that require it. The process should be the same for APT if it matches the same domain. Here's the steps that need to be taken to request the Cert in ACM:
In the AWS Console
If CLI is required:
aws acm request-certificate --domain-name REQUIREDDOMAIN --validation-method EMAIL --region us-east-1
aws acm resend-validation-email --certificate-arn --domain REQUIREDDOMAIN --validation-domain nasa.gov
Description
MCP and Tenant have shared responsibility to ensure compliance with the MCP System Security Plan. MCP relies on the AWS security hub service to identify and track compliance with known security standards as discussed in the service documentation.
The CloudFront distributions should use SNI to serve HTTPS requests as per AWS Foundational Security Best Practices.
See Using SNI to Serve HTTPS Requests
Resources non-compliant:
arn:aws:cloudfront::237694371684:distribution/E1COX9APJFTK2X arn:aws:cloudfront::237694371684:distribution/E26TIGKCB37R81 arn:aws:cloudfront::237694371684:distribution/E2HG14BAFN6FZ5
The OpenSearch domain needs the latest software installed for the following resource:
arn:aws:es:us-west-2:237694371684:domain/api-lambda-prod-v2-osdomain
Acceptance Criteria