search

NASA-IMPACT / nasa-apt

Code and issues relevant to the NASA APT project
Apache License 2.0
5 stars 0 forks source link

MCP: Ensure CloudFront distributions use SNI to serve HTTPS requests #882

Open bwbaker1 opened 1 month ago

bwbaker1 commented 1 month ago

Description

MCP and Tenant have shared responsibility to ensure compliance with the MCP System Security Plan. MCP relies on the AWS security hub service to identify and track compliance with known security standards as discussed in the service documentation.

The CloudFront distributions should use SNI to serve HTTPS requests as per AWS Foundational Security Best Practices.

See Using SNI to Serve HTTPS Requests

Resources non-compliant:

arn:aws:cloudfront::237694371684:distribution/E1COX9APJFTK2X arn:aws:cloudfront::237694371684:distribution/E26TIGKCB37R81 arn:aws:cloudfront::237694371684:distribution/E2HG14BAFN6FZ5

The OpenSearch domain needs the latest software installed for the following resource:

arn:aws:es:us-west-2:237694371684:domain/api-lambda-prod-v2-osdomain

Acceptance Criteria

bwbaker1 commented 1 month ago

@wrynearson Current deadline is August 23, but can probably get this extended if needed.

wrynearson commented 1 month ago

Thanks @bwbaker1. @jjfrench, could you look into this when you have time?

cc @sunu

jjfrench commented 1 month ago

Still waiting for APT AWS access

wrynearson commented 1 month ago

@bwbaker1 we're blocked on production releases until @jjfrench gets access

wrynearson commented 1 month ago

Never mind, @jjfrench now has access

jjfrench commented 3 weeks ago

Sorry, just now getting time to address this. We just need to add a cert for these CloudFront distributions to use - is there one we should be importing for an already existing domain? i.e. since this routes to https://www.earthdata.nasa.gov/apt/ should we be using the www.earthdata.nasa.gov cert? (wherever that may be)

@ChrisPhillips1024 Do you know the answer to this?

wrynearson commented 3 weeks ago

@bwbaker1 might know the answer to that, or could tag the person who would.

jjfrench commented 2 weeks ago

@ChrisPhillips1024 , not sure if editing the comment above notified you - Do you know how we should proceed with applying a cert?

ChrisPhillips1024 commented 2 weeks ago

Sorry, I didn't see the notification to this post. I JUST tracked down the method for generating these certs. I got one set up in the Misc-Prod account for impact.earthdata.nasa.gov for their 3 CFs that require it. The process should be the same for APT if it matches the same domain. Here's the steps that need to be taken to request the Cert in ACM:

In the AWS Console

  1. Ensure your Region is set to US-East-1 in ACM for the cert to be visible to the CloudFronts
  2. Open a Cert request for your domain (earthdata.nasa.gov)
  3. Choose Email Validation
  4. There is a field for Validation Domain. Enter "nasa.gov" image
  5. Submit the Cert Request
  6. Enter the cert page for the new cert and verify the Registered Owners field is filled with .nasa.gov instead of earthdata.nasa.gov entries and then click "Resend Validation Email" 2 or 3 times. image
  7. Send an email with the Account Number and the Cert ARN to webmaster@nasa.gov and inform them of the cert request they should have received.

If CLI is required: aws acm request-certificate --domain-name REQUIREDDOMAIN --validation-method EMAIL --region us-east-1 aws acm resend-validation-email --certificate-arn --domain REQUIREDDOMAIN --validation-domain nasa.gov