Versions Compared

Old Version 3

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Eddie Rubeiz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Currently we are using a set of security groups:Our security groups are administered at https://console.aws.amazon.com/ec2/v2/home?region=us-east-1#SecurityGroups.

A security group allows certain IP addresses to connect a machine, once the machine has been added to the security group like this:

aws ec2 modify-instance-attribute --instance-id THE_MACHINE_S_INSTANCE_ID --groups LIST_OF_GROUPS --profile security

They’re added by Ansible to new servers using the AWS key pair security_access_key / security_secret_key

which are in the group_vars/vault file.

Security Group

Description

Ports

NotesTemp rule notesCHF-Access-WebCHF internal web access80, 443IT has the list of addresses, may need to be updated for California offices?

Details

Admin

Management-Access

worldwide ssh access

22All machines MUST have this group to allow ssh access. Currently allows worldwide ssh access

Aspace prod and staging, port 22

Allows SSH access by developers to the ArchivesSpace server.

admin

Public-Access-Web

Public web access

80, 443Open worldwide, to be applied to public web facing servers

Temp-Development

short term dev firewall rules??Please use this for short term access, rules in here may be cleared off

Aspace prod and staging, ports 80 and 443

Allows public web access to the production and staging ArchivesSpace servers.

admin

Temp-Production

short term production firewall rules

??Please use this for short term access, rules in here may be cleared offWill be adding Cat and Sarah to Hydra for off-site access in case of Septa strike.
Roger Turner has his address (75.75.165.67) added for offsite access to Hydra.

Aspace prod, port 8983

Used to allow developers and export code to access the ASpace API.

admin

Temp-Staging

short term staging firewall rules

??Please use this for short term access, rules in here may be cleared offinternal-networkingAccess between machines80, 443, 8080, 8983All Samvera machines must be members of this group so they can share REST data.EFSAccess to Elastic File System??Not in use yet, will allow access to EFS connections

Aspace staging, port 8983

See Temp-Production.

admin

In addition there is a default security group that appears unused, but cannot be deleted.

When a machine has multiple security groups, as long as any one of the groups allows access the connection will work through the firewall. Anything not covered will be rejected however.

...