Devising a comprehensive security strategy on Amazon EC2 requires you to plan for security at different levels.
Access to your web services and applications is managed through the same security mechanisms that you use with ArcGIS Enterprise outside Amazon EC2. This is described in the ArcGIS Server and Portal for ArcGIS help.
In addition, there are security considerations specific to deploying in the cloud. The following sections describe some of the security considerations and approaches specific to deploying on Amazon Web Services (AWS).
Secure your cloud administration environment
Amazon Identity and Access Management (IAM) allows you to manage groups of users who have various levels of permissions to your AWS account. Before you can log in to ArcGIS Server Cloud Builder on Amazon Web Services, you must use IAM to create at least one user with access to your account. You will then need to download the Access Key and Secret Access Key associated with that user. When you first log in to Cloud Builder, you can decide whether to save these keys or require them at every login. You can also use an IAM role to configure a highly available ArcGIS Server site.
Advanced administration of ArcGIS Enterprise on Amazon Web Services is performed using the AWS Management Console. You must log in to the console with your Amazon account name and password before you can launch or terminate EC2 instances, configure Amazon Elastic Load Balancers (ELBs) and Elastic IPs, and perform other administrative functions of the virtual environment. Logging in also lets you view your account activity and billing information.
Only share your Amazon account name, password, Access Keys, and Secret Access Keys with a small number of people in your organization who understand how to properly launch, edit, and terminate resources using the Cloud Builder or AWS Management Console. Allowing widespread access to untrained personnel makes your deployment vulnerable to severe system disruption and excessive charges on your account. These types of problems may ultimately be more damaging than an assault from an external hacker.
Amazon offers an optional layer of protection for the AWS Management Console beyond your account name and password. This option, AWS Multi-Factor Authentication, requires you to have a six-digit code generated by a small hardware device in your possession. The code frequently changes, such that if a malicious user were to obtain your account name and password, he or she would still not be able to log in to the AWS Management Console.
Secure instance administration
Logging in to the Cloud Builder or AWS Management Console is just one aspect of ArcGIS administration on Amazon EC2. Another part of setting up your cloud deployment is logging in to your EC2 instances to authorize or upgrade software, run tools installed with ArcGIS Enterprise, transfer data, configure applications, and add logins.
You initially log in to a Windows EC2 instance as the machine administrator, using a randomly generated password that you retrieve using your key pair file. Keep your key pair file in a secure location. Then, the first time you log in to the instance, you should change the password to something easier to remember. It is not secure to write down the password or store it in clear text somewhere on your local machine.
Consider choosing a password that corresponds to the Windows Server complexity requirements, which include the following:
- Passwords should not contain the user's account name or parts of the user's full name that exceed two consecutive characters.
- Passwords should be at least eight characters in length.
- Passwords should contain characters from three of the following four
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Nonalphanumeric characters (for example, !, $, #, %)
Once you've logged in to the instance, you can optionally use Windows tools to define nonadministrative users who can log in.
Secure instances against outside attacks
All EC2 instances use a firewall to protect against inappropriate or unknown outside access. You configure the firewall by creating security groups and opening access to a range of IP addresses, ports, and protocols on each group. Every time you launch a new EC2 instance, you need to specify to which security group the instance will belong.
By default, new security groups have no access allowed. At a minimum, you need to allow remote desktop access and HTTP access to log in to your EC2 instance and test your server. See Open an Amazon EC2 security group for ArcGIS for instructions. Also, see Common security group configurations for ideas of security group settings that are appropriate for ArcGIS Enterprise on Amazon Web Services.
When you use ArcGIS Server Cloud Builder on Amazon Web Services to create an ArcGIS Server site or an AWS CloudFormation template provided by Esri, a security group is created and configured for you. The necessary ports are opened on the security group to allow the site to function, but if needed you can use the AWS Management Console to fine-tune the settings of this security group. For example, if you want to log in to one of the instances using Windows Remote Desktop, you need to open port 3389.
The Amazon Security Center contains white papers and best practice documents for designing a secure architecture for EC2. These guidelines are applicable to ArcGIS Enterprise on Amazon Web Services.