{"id":28597840,"url":"https://github.com/osquery/infrastructure","last_synced_at":"2025-07-17T06:32:40.749Z","repository":{"id":54316572,"uuid":"241530937","full_name":"osquery/infrastructure","owner":"osquery","description":"terraform for osquery infrastructure","archived":false,"fork":false,"pushed_at":"2021-03-25T05:14:00.000Z","size":9,"stargazers_count":2,"open_issues_count":1,"forks_count":4,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-06-11T11:25:27.008Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/osquery.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-02-19T04:17:09.000Z","updated_at":"2022-09-24T19:16:24.000Z","dependencies_parsed_at":"2022-08-13T11:50:39.234Z","dependency_job_id":null,"html_url":"https://github.com/osquery/infrastructure","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/osquery/infrastructure","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/osquery%2Finfrastructure","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/osquery%2Finfrastructure/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/osquery%2Finfrastructure/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/osquery%2Finfrastructure/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/osquery","download_url":"https://codeload.github.com/osquery/infrastructure/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/osquery%2Finfrastructure/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265573458,"owners_count":23790438,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-11T11:19:23.778Z","updated_at":"2025-07-17T06:32:40.703Z","avatar_url":"https://github.com/osquery.png","language":null,"readme":"# Infrastructure\n\nThis is a management repo for the osquery project's infrastructure.\n\n## Philosophy and Goals\n\n1. IaaS\n\n- Reduce human errors\n- Code Review\n- PR History\n\n2. Secure by default \u0026 Least Access\n\n## Amazon AWS\n\nThese are on seph's personal credit card. But we expect to be inside the free limit.\n\n### Credential management AWS Vault\n\nDon't store them in `.aws/credentials` instead, use https://github.com/99designs/aws-vault with 2fa enabled, please see their documentation on how to setup 2fa using the `aws_profile`.\n\n### AWS Accounts\n\nhttps://console.aws.amazon.com/organizations/home\n\n| Name             | Account ID   | Email                         | Purpose                |\n| ---------------- | ------------ | ----------------------------- | ---------------------- |\n| [osquery-org](https://signin.aws.amazon.com/switchrole?roleName=IdentityAccountAccessRole\u0026account=032511868142)      | 032511868142 | infra+aws@osquery.io          | Top Level \u0026 Billing    |\n| [osquery-identity](https://signin.aws.amazon.com/switchrole?roleName=IdentityAccountAccessRole\u0026account=834249036484) | 834249036484 | infra+aws-identity@osquery.io | IAM: humans and groups |\n| [osquery-logs](https://signin.aws.amazon.com/switchrole?roleName=IdentityAccountAccessRole\u0026account=072219116274)     | 072219116274 | infra+aws-logs@osquery.io     | Cloudwatch Logs        |\n| [osquery-infra](https://signin.aws.amazon.com/switchrole?roleName=IdentityAccountAccessRole\u0026account=107349553668)    | 107349553668 | infra+aws-infra@osquery.io    | Semi-static infra      |\n| [osquery-storage](https://signin.aws.amazon.com/switchrole?roleName=IdentityAccountAccessRole\u0026account=680817131363)  | 680817131363 | infra+aws-storage@osquery.io  | Packages, artifacts    |\n| [osquery-dev](https://signin.aws.amazon.com/switchrole?roleName=IdentityAccountAccessRole\u0026account=204725418487)      | 204725418487 | infra+aws-dev@osquery.io      | Dev and test hosts. Initial CI work |\n\nThere is a default role for cross sharing: `OrganizationAccountAccessRole` but this does not apply to our set up.\nThis default assumes identity accounts are created in the `osquery-org`, this trust is setup between the child accounts\nand this parent. In our setup trust must be created between `osquery-identity` and the other child accounts.\n\nFor each child account we should create a `IdentityAccountAccessRole` role that mimics the \"Organization\" role.\n\n### AWS Account Setup Process\n\nAWS account setup is a somewhat cumbersome manual process. Notes about it.\n\nUseful URLs:\n\n- https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html\n\n#### Initial AWS account\n\nThe first thing we did was create the `osquery-org` account. This is\nthe toplevel account. It was created using the normal AWS signup flow,\nthen converted to being an org account.\n\n#### Subsequent Child Accounts\n\nSometimes we need to create additional AWS child accounts. There are a\ncouple of steps to that.\n\n1. Login to AWS\n2. Find your way to the organization screen\n   * https://console.aws.amazon.com/organizations/home?region=us-east-2#/accounts\n3. Click \"Add account\"\n   * Name and email should conform to the convention in the table above\n   * You can leave IAM role name to the default `OrganizationAccountAccessRole`\n4. **IMPORTANT**: Set a root password and MFA (see below)\n\n**IMPORTANT**: When an AWS account is created this way, it does _not_\nhave a root password of MFA set. This means the account is vulnerable\nto a class of takeover attacks. The recommend approach is to use the\n\"forgot password\" flow to set a root password and MFA device. We use a\nvirtual MFA device in the same 1password entry.\n\n### User Account Setup Process\n\nIf you are a TSC member you will have access to the `osquery-identity` root account.\nYou can log in to the web console and use IAM to create a `$USERNAME-identity` account (or call it whatever).\n\nThen to manage resources on other accounts you can assume an Administrator role.\n\nTo login, you need to use one of the magic switchrole links. For\nexample:\nhttps://signin.aws.amazon.com/switchrole?roleName=IdentityAccountAccessRole\u0026account=107349553668\n(See the account table for others)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fosquery%2Finfrastructure","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fosquery%2Finfrastructure","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fosquery%2Finfrastructure/lists"}