Currently we are using a set of Our security groups :
...
Management-Access
...
Public-Access-Web
...
Temp-Development
...
Temp-Production
...
Temp-Staging
...
The following security groups are scheduled for removal subsequent to our move to Heroku:are administered at https://console.aws.amazon.com/ec2/v2/home?region=us-east-1#SecurityGroups.
A security group allows certain IP addresses to connect a machine, once the machine has been added to the security group like this:
aws ec2 modify-instance-attribute --instance-id THE_MACHINE_S_INSTANCE_ID --groups LIST_OF_GROUPS --profile security
They’re added by Ansible to new servers using the AWS key pair security_access_key / security_secret_key
which are in the group_vars/vault
file.
Security Group | Description | Ports | Details |
---|
Admin |
---|
|
worldwide ssh access |
Aspace prod and staging, port 22 | Allows SSH access by developers to the ArchivesSpace server. | |
| Public web access |
Temp-Development
Aspace prod and staging, ports 80 and 443 | Allows public web access to the production and staging ArchivesSpace servers. | |
| short term production firewall rules |
Aspace prod, port 8983 | Used to allow developers and export code to access the ASpace API. | |
| short term staging firewall rules |
Aspace staging, port 8983 | See Temp-Production. |
In addition there is a default security group that appears unused, but cannot be deleted.
When a machine has multiple security groups, as long as any one of the groups allows access the connection will work through the firewall. Anything not covered will be rejected however.
...