Ana Sayfa Keşfet Yardım
Üye Ol Giriş Yap
AFS
/
infrastructure-notes
2
0
Çatalla 0
Dosyalar Sorunlar 0 Değişiklik İstekleri 0 Wiki
Dal: master
Dallar Biçim İmleri
infrastructure-...
/
AWS New Account Setup Notes.md

AWS New Account Setup Notes.md 7.9 KB
Kalıcı Bağlantı Geçmiş Ham

XDR AWS New Account Setup Notes

Timecode

You should be using the customer T&E charge code. If you don't have one you can put the time into a suspense code and switch it to the correct timecode when you get it. The suspense code is: SSPNS.500.001.001 Contract Civilian Sus Lbr.

request new account from aws from AFS

AFS Help -> Submit a request -> non standard software and pre-approved project management tools -> cloud managed services

CFM approver: jordana.lang
P104 approver: jennifer.l.combs

VERY Helpful Guy to fill out the AWS request: Osman Soofi. osman.soofi@accenturefederal.com

Bootstrap the Account

AFS Support will send you two login URLs and passwords per account (one for commercial, one for govcloud).

Prerequisites

Install aws-mfa utility via:

# This is a patched version to include govcloud support
git clone https://github.com/duckfez/aws-mfa.git 

# do whatever your process is for making this executable... 
link to /usr/local/bin, copy to your path, etc.

# Optional, change the #! line in aws-mfa to be /usr/bin/env python3
`ln -s /path_to_repo/aws-mfa/aws-mfa /usr/local/bin/aws-mfa`

Bootstrapping Step 1: Secure the Root Account

For this step, you can do both Commerical account and GovCloud account at the same time.

  • Record all account information in msoc-infrastructure-wiki 'cloud-accounts.md` doc
  • Go to https://vault.pvt.xdr.accenturefederalcyber.com/
  • Navigate to engineering/cloud/aws/root-creds/:
    • Create new entry for the account alias. Use the naming scheme, mdr-prod-${CUSTOMERPREFIX}
    • Copy JSON from existing entry - should contain both commercial and govcloud records
    • Create a new version of the new secret and add the JSON
    • if needed, add a field for the MFA secret called commerical_mfa_secret and gov_mfa_secret
  • Naviate to engineering/cloud/aws/root-creds/AllAccounts-MDRAdmin
    • Create new entry for the account password. This is to support password changes via Terraform see xdr-terraform-live/bin/rotate_mdradmin.sh
  • Login to the AWS account via web browser.
  • It's possible that CAMRS will make "our user" named IAMAdmin, but also possible it will be MDRAdmin. We have things that expect it to be MDRAdmin. If the account we get is IAMAdmin then we need to make MDRAdmin.
    1. :warning: Setup MFA for IAMAdmin in your personal virtual authenticator and login with IAMAdmin and MFA
    2. Make the MDRAdmin user in AWS Console
    3. Assign a Password ( AWS Management Console access )
    4. Attach the policy IAMUserChangePassword directly to the user and create user
    5. After the user is created, Put the user in the camrs-group-iam group
    6. Log out of IAMAdmin, log in to MDRAdmin
  • Change password to something that does not include JSON characters and record in the vault.
  • Follow instructions for "Using Vault for TOTP things", section "Adding a new TOTP Code" in cloud-accounts.md to configure and store the MFA token for the root account.
  • Put the MFA secret key into the *_mfa_secret field in Vault.
  • Sign out and back in. (Not optional! Required because MFA requirement in IAM policies)
  • Go back to IAM and create access keys for the MDRAdmin user. Store them for later use.
  • Delete IAMAdmin from AWS and your personal virtual authenticator.

Repeat for additional accounts and retain the AWS Access Keys for later use.

Step 2: Bootstrap the account

  1. Starting with the Commerical AWS account, if applicable, add the access and secret keys to your local vim ~/.aws/credentials file as a temporary profile called tmp-long-term:

    [tmp-long-term]
aws_access_key_id = <blah>
aws_secret_access_key = <blah>
aws_mfa_device = arn:{partition}:iam::{account}:mfa/MDRAdmin

    Partition should be aws or aws-us-gov. Region should be us-gov-east-1 or us-east-1.

  2. Run aws-mfa --profile tmp --region={region} ( Note: No -long-term, because script assumes it ). To switch from gov to commerical use the --force flag.

  3. Verify account number: AWS_PROFILE=tmp aws sts get-caller-identity --region={region}

  4. Update and branch xdr-terraform-live Git repo ( see below )

  5. Name the branch feature/${INITIALS}_${TICKET}_CustomerSetup_${CUSTOMERPREFIX}

  6. This branch will be used in future steps

  7. Create a copy of the account skeleton ( see below )

  8. Change directories to where you have the xdr-terraform-live git repo and set the CUSTOMERPREFIX variable

    CUSTOMERPREFIX=<customer-prefix>
INITIALS=bp
TICKET=MSOCI-<ticket number>
# cd to xdr-terraform-live folder
git checkout master
git fetch --all
git pull origin master
git checkout -b feature/${INITIALS}_${TICKET}_CustomerSetup_${CUSTOMERPREFIX}

If the account is NOT GOING TO BE USED run these commands. NOTE: This would probably be only for the commercial account. This is done so the AWS account is properly managed and not forgotten about.

cp -r 000-skeleton/ prod/aws/mdr-prod-${CUSTOMERPREFIX}
cd prod/aws/mdr-prod-${CUSTOMERPREFIX}
echo "This account is unused" > UNUSED.ACCOUNT
rm -rf 010-vpc-splunk/ 021-qualys-connector-role/ 025-test-instance/ 072-salt-master-inventory-role/ 140-splunk-frozen-bucket/ 150-splunk-cluster-master/ 160-splunk-indexer-cluster/ 170-splunk-searchhead/ 180-splunk-heavy-forwarder/
vim README.md # Add a description of the account
vim account.hcl # Fill in all "TODO" items, but leave "LATER" items (such as qualys) to be completed later.
update_refs --newtag <LATEST TAG>
cd ../../../

For Accounts that will be used ( e.g. GovCloud ).

cp -r 000-skeleton/ prod/aws-us-gov/mdr-prod-${CUSTOMERPREFIX}
cd prod/aws-us-gov/mdr-prod-${CUSTOMERPREFIX}
vim README.md # Add a description of the account
vim account.hcl # Fill in all "TODO" items, but leave "LATER" items (such as qualys) to be completed later. If you don't know the LCP IPs yet, comment out the splunk_data_sources cidr.  
update_refs --newtag <LATEST TAG>
# if needed cd to commerical dir for next steps
cd ../../../aws/mdr-prod-${CUSTOMERPREFIX}

These steps should be run on both Commerical and GovCloud accounts. Start with the Commerical account to use the AWS keys.

cd into the IAM directory cd 005-iam

Double-check / fix the profile

vim terragrunt.hcl
# Check TODO items, make sure the profile (tmp) listed is right / matches what you have in above step

Apply the configuration:

saml2aws -a commercial login
saml2aws -a govcloud login
terragrunt init
terragrunt validate
terragrunt apply

If the terragrunt apply takes forever and doesn't do anything, you need to authenticate with aws-mfa again.

Comment-out the provisioning provider block and validate that terragrunt can be applied with the normal xdr-terraformer roles from root account

vim terragrunt.hcl
# comment out the provider generation parts
terragrunt apply
# Should be no changes

Repeat for the govcloud account. Be sure to update your ~/.aws/credentials. Both the govcloud and commercial accounts needs to be configued. cd ../../../aws-us-gov/mdr-prod-${CUSTOMERPREFIX}

Atempt to login to the new account via the browser Switch Role. Start from the Common Services account and switch to new account using user/mdr_terraformer as the role. If everything is working correct, delete the AWS access keys from the MDRAdmin user in both Commercial and GovCloud as well as IAMAdmin user and personal MFA, unless you already did. Update files/config and add the new account to the shared AWS confiugration. The new configuration should match this format.

vim ~/.aws/config

GovCloud Format

[profile mdr-prod-${CUSTOMERPREFIX}-gov]
role_arn = arn:aws-us-gov:iam::{account}:role/user/mdr_terraformer
region = us-gov-east-1
color = ff1a1a
source_profile = govcloud

Add the new AWS Config to your browser plugin, if applicable.