Update the InfosecSecurityAuditRoles

[jwhitlock]

Requested by @gene1wood in bug 1526077. There does not appear to be a Terraform rule for any existing CloudFormation configuration.

[gene1wood]

Mozilla Enterprise Information Security (EIS) has an update to the security features we provide for your AWS account. You previously deployed the InfosecClientRoles into your account to enable EIS to perform security audits on your account and do security incident response in the case of a security breach.

We have a new CloudFormation template that we'd like to have you update to in order to

• grant additional security auditing read permissions
• change incident response to a role trusting a dedicated incident response AWS account
• enable AWS GuardDuty threat detection service and wire it up to the Mozilla Defense Platform (MozDef)

There are many specifics if you're interested in the README

What we'd like you to do is update your existing CloudFormation stack

• AWS account ID : 884003976652
• AWS region : us-east-1
• CloudFormation stack name : InfosecSecurityAuditRoles

with the new template. Here's how

Update your existing stack

You can either do the update in the AWS web console or on the command line with the awscli tool. You'll be doing a CloudFormation stack update to a new template.

Update in the web console

• Browse to the CloudFormation section

• Select the InfosecSecurityAuditRoles stack by checking the check circle next to it

• In the Actions drop down in the upper right select Update Stack

  • On the Prerequisite - Prepare template screen select Replace current template
  • In the Amazon S3 URL field enter

  https://s3.amazonaws.com/public.us-west-2.infosec.mozilla.org/infosec-security-roles/cf/infosec-security-audit-incident-response-guardduty-roles-cloudformation.yml

• Click the Next button

• Enter an optional email address to receive notifications at of use of the incident response role

• On the Specify stack details click the Next button

• On the Configure stack options page click the Next button

• On the Review page click the checkbox that says I acknowledge that AWS CloudFormation might create IAM resources.

• Click the Update stack button

• When the CloudFormation stack completes the creation process and the Status field changes from UPDATE_IN_PROGRESS to UPDATE_COMPLETE you're done.

Update on the command line

• Set the EMAIL_ADDRESS that you'd like to receive notifications at if/when the incident response role is ever used. Note : EIS is always notified if the incident response role is ever used.
• The STACK_NAME below is set to your existing InfosecClientRoles stack name
• The REGION below is region in which your existing stack is deployed

EMAIL_ADDRESS=example@example.com
STACK_NAME=InfosecSecurityAuditRoles
REGION=us-east-1
AWS_DEFAULT_REGION=${REGION} aws cloudformation update-stack \
  --stack-name ${STACK_NAME} \
  --template-url https://s3.amazonaws.com/public.us-west-2.infosec.mozilla.org/infosec-security-roles/cf/infosec-security-audit-incident-response-guardduty-roles-cloudformation.yml \
  --parameters ParameterKey=EmailAddress,ParameterValue=${EMAIL_ADDRESS} \
  --capabilities CAPABILITY_IAM

How do you like to be contacted?

Finally, if in the future you'd like to be contacted through a different channel (GitHub issue, Bugzilla ticket, ServiceNow, email, etc) for this type of thing or if there's a better person or place to make this request, do let us know.

Related tickets

• Bug 1526077 2019 Mozilla AWS Security Refresh : Update your CloudFormation stacks for project-link
• Bug 1517060 AWS Security Refresh 2018 Tracking Bug

[gene1wood]

@limed can you help with this stack update?

[limed]

@limed can you help with this stack update?

Yep this will be on me, thanks

@jwhitlock Just fyi the infosec roles are part of our account deployment

[limed]

This is done in PR nubisproject/nubis-accounts-nubis#119 unfortunately because we use git-crypt for those repos you can't see the diff but I double checked on the MDN account side and the new infosec cfn template did apply

[gene1wood]

@limed Was this deployed, because if so I don't think it worked as I'm not seeing the roles on my side.

[gene1wood]

@limed determined that the account that he updated was 178589013767 not the one requested in this ticket of 884003976652.

I've reopened Bug 1526077 to try to get 884003976652 updated.

[jwhitlock]

Sorry @limed, I was confused about this issue. I thought that "project-link" was the code name for Mozilla Enterprise Information Security's security feature. Instead, it appears to be the AWS account used for a connected devices project.