Our security groups are administered at https://console.aws.amazon.com/ec2/v2/home?region=us-east-1#SecurityGroups: .
A security group allows certain IP addresses to connect a machine, once the machine has been added to the security group like this:
aws ec2 modify-instance-attribute --instance-id THE_MACHINE_S_INSTANCE_ID --groups LIST_OF_GROUPS --profile security
Security Group | Description | Ports | Details | Admin |
---|---|---|---|---|
| worldwide ssh access | 22 | The production and staging ArchivesSpace servers need this group to allow developers to ssh to them. This allows worldwide ssh access; we're using SSH keys to control access. | https://console.aws.amazon.com/ec2/v2/home?region=us-east-1#SecurityGroup:groupId=sg-da8374a7 |
| Public web access | 80, 443 | Open worldwide, to allow public web access to the production and staging ArchivesSpace servers. | https://console.aws.amazon.com/ec2/v2/home?region=us-east-1#SecurityGroup:groupId=sg-686b9f15 |
| short term production firewall rules | 8983 | Used for short-term access to the SOLR configuration on ArchivesSpace production from developers' IP addresses. | https://console.aws.amazon.com/ec2/v2/home?region=us-east-1#SecurityGroup:groupId=sg-f2a7508f |
| short term staging firewall rules | 8983 | Used for short-term access to the SOLR configuration on ArchivesSpace production from developers' IP addresses. | https://console.aws.amazon.com/ec2/v2/home?region=us-east-1#SecurityGroup:groupId=sg-25b84f58 |
🚨 The following security groups are scheduled for removal subsequent to our move to Heroku:
Security Group | Description | Ports | Details | Notes |
---|---|---|---|---|
| CHF internal web access | 80, 443 | Allows a list of employees to connect to 80 and 443. This is not being applied to any machines; both staging and production ASpace already allow access to those two ports via | Includes Offsite access addresses for Jonathan |
| Access between production machines | 8080, 8983, 6379, 5432, 19999 | All Samvera machines needed to be members of this group so they can communicate to share REST data. Port 8080 is Fedora, 8983 is Solr, 6379 is Redis, 5432 is Postgres, 19999 is netdata for monitoring. | Do not mix production and staging boxes, this divide avoids security group rule tests from impacting production. The only box on both is monitor to watch both groups. |
| Access between staging machines | 8080, 8983, 6379, 5432, 19999 | All Samvera machines needed to be members of this group so they can communicate to share REST data. | Do not mix production and staging boxes, this divide avoids security group rule tests from impacting production. The only box on both is monitor to watch both groups. |
When a machine has multiple security groups, as long as any one of the groups allows access the connection will work through the firewall. Anything not covered will be rejected however.