Currently we are using a set of security groups:Our security groups are administered at https://console.aws.amazon.com/ec2/v2/home?region=us-east-1#SecurityGroups.
A security group allows certain IP addresses to connect a machine, once the machine has been added to the security group like this:
aws ec2 modify-instance-attribute --instance-id THE_MACHINE_S_INSTANCE_ID --groups LIST_OF_GROUPS --profile security
They’re added by Ansible to new servers using the AWS key pair security_access_key / security_secret_key
which are in the group_vars/vault
file.
Security Group | Description | Ports |
---|
Details | Admin |
---|---|
| worldwide ssh access |
Aspace prod and staging, port 22 | Allows SSH access by developers to the ArchivesSpace server. | |
| Public web access |
Temp-Development
Aspace prod and staging, ports 80 and 443 | Allows public web access to the production and staging ArchivesSpace servers. | |
| short term production firewall rules |
Aspace prod, port 8983 | Used to allow developers and export code to access the ASpace API. | |
| short term staging firewall rules |
Aspace staging, port 8983 | See Temp-Production. |
In addition there is a default security group that appears unused, but cannot be deleted.
When a machine has multiple security groups, as long as any one of the groups allows access the connection will work through the firewall. Anything not covered will be rejected however.
...