OpsWorks Security
In this, we will learn the basics of OpsWorks Security.
- IAM lists credentials to access resources.
- OpsWorks Stacks integrates with IAM
- IAM can control
- How users can interact with OpsWorks Stacks.
- How OpsWorks Stacks can act on your behalf to access stack resources like EC2 or S3
- How under OpsWorks Stacks can access other AWS resources
- Managing user-based SSH keys
- How to use SSH or RDP to connect to instances.
- updating instances’ operating system
- configure EC2 security groups to control network traffic to and from instances.
- specify custom security groups
User Permissions
- Attach IAM AWSOpsWorksFullAccess policy to every
IAM user, to handle OpsWorks Stacks permissions
- But, it will allow user to perform every OpsWorks Stacks action on every stack.
- Hence, restrict OpsWorks Stacks users to a specified actions or resources.
- Control AWS OpsWorks Stacks user permissions by
- using the AWS OpsWorks Stacks Permissions page
- by attaching an appropriate IAM policy.
- Using the Permissions page, to control
- Who can access each stack.
- Which actions each user is allowed to perform on each stack.
- Who can manage each stack.
- Who has user-level SSH access and sudo privileges (Linux) or RDP access and administrator privileges (Windows) on each stack’s Amazon EC2 instances.
Sample for managing user permissions assuming an administrative user.
- Use IAM console to attach AWSOpsWorksFullAccess policies to administrative users.
- Create an IAM user for each nonadministrative user with a policy that grants no AWS OpsWorks Stacks permissions.
- If a user requires access only to AWS OpsWorks Stacks, you might not need to attach a policy at all. You can instead manage their permissions with the AWS OpsWorks Stacks Permissions page.
- Use the AWS OpsWorks Stacks Users page to import the nonadministrative users into AWS OpsWorks Stacks.
- For each stack, use the stack’s Permissions page to assign a permission level to each user.
- As needed, customize users’ permission levels by attaching an appropriately configured IAM policy.
Regular AWS OpsWorks Stacks Users
- Regular users don’t require an attached policy.
- Use OpsWorks Stacks Permissions page to assign
permissions levels to regular users on a stack-by-stack basis.
- Show permissions to view the stack, but not perform any operations.
- Deploy permissions allow users to deploy and update apps.
- Manage permissions allow users to perform stack management like adding layers or instances, use the Permissions page to set user permissions, and enable their own SSH/RDP and sudo/admin privileges.
- Deny permissions deny access to the stack.
To create the IAM User:
- Access the IAM console at https://console.aws.amazon.com/iam/
- Select Users in navigation pane, and then click Add user.
- Type a user name. In Select AWS access type area, select Programmatic access, and then choose Next: Permissions.
- On the Set permissions page, choose Attach existing policies directly.
- Enter OpsWorks in the Policy type filter box to display the AWS OpsWorks policies
- Select AWSOpsWorksFullAccess, and then choose Next: review.
Security Updates
To update online instances.
- Create and start new instances. Then delete the current instances.
- On Linux-based instances in Chef 11.10 or older stacks, run the Update Dependencies stack command
Security Groups
- Every EC2 instance has one or more associated security groups
- Security groups govern instance’s network traffic, like firewall.
- A security group has one or more rules, for traffic
and includes
- The type of allowed traffic, such as SSH or HTTP
- The traffic’s protocol, such as TCP or UDP
- The IP address range that the traffic can originate from
- The traffic’s allowed port range
- Two types of rules:
- Inbound rules govern inbound network traffic.
- Outbound rules govern outbound network traffic.