Closed jwhitlock closed 5 years ago
Mozilla Enterprise Information Security (EIS) has an update to the security features we provide for your AWS account. You previously deployed the InfosecClientRoles into your account to enable EIS to perform security audits on your account and do security incident response in the case of a security breach.
We have a new CloudFormation template that we'd like to have you update to in order to
There are many specifics if you're interested in the README
What we'd like you to do is update your existing CloudFormation stack
with the new template. Here's how
You can either do the update in the AWS web console or on the command line with the awscli tool. You'll be doing a CloudFormation stack update to a new template.
Browse to the CloudFormation section
Select the InfosecSecurityAuditRoles
stack by checking the check
circle next to it
In the Actions
drop down in the upper right select Update Stack
Prerequisite - Prepare template
screen select Replace current template
Amazon S3 URL
field enter Click the Next
button
Enter an optional email address to receive notifications at of use of the incident response role
On the Specify stack details
click the Next
button
On the Configure stack options
page click the Next
button
On the Review
page click the checkbox that says I acknowledge that AWS CloudFormation might create IAM resources.
Click the Update stack
button
When the CloudFormation stack completes the creation process and the Status
field changes from UPDATE_IN_PROGRESS
to UPDATE_COMPLETE
you're done.
EMAIL_ADDRESS=example@example.com
STACK_NAME=InfosecSecurityAuditRoles
REGION=us-east-1
AWS_DEFAULT_REGION=${REGION} aws cloudformation update-stack \
--stack-name ${STACK_NAME} \
--template-url https://s3.amazonaws.com/public.us-west-2.infosec.mozilla.org/infosec-security-roles/cf/infosec-security-audit-incident-response-guardduty-roles-cloudformation.yml \
--parameters ParameterKey=EmailAddress,ParameterValue=${EMAIL_ADDRESS} \
--capabilities CAPABILITY_IAM
Finally, if in the future you'd like to be contacted through a different channel (GitHub issue, Bugzilla ticket, ServiceNow, email, etc) for this type of thing or if there's a better person or place to make this request, do let us know.
@limed can you help with this stack update?
@limed can you help with this stack update?
Yep this will be on me, thanks
@jwhitlock Just fyi the infosec roles are part of our account deployment
This is done in PR nubisproject/nubis-accounts-nubis#119 unfortunately because we use git-crypt for those repos you can't see the diff but I double checked on the MDN account side and the new infosec cfn template did apply
@limed Was this deployed, because if so I don't think it worked as I'm not seeing the roles on my side.
@limed determined that the account that he updated was 178589013767
not the one requested in this ticket of 884003976652
.
I've reopened Bug 1526077 to try to get 884003976652
updated.
Sorry @limed, I was confused about this issue. I thought that "project-link" was the code name for Mozilla Enterprise Information Security's security feature. Instead, it appears to be the AWS account used for a connected devices project.
Requested by @gene1wood in bug 1526077. There does not appear to be a Terraform rule for any existing CloudFormation configuration.