Devising a comprehensive ArcGIS Server security strategy on Amazon EC2 requires you to plan for security at different levels. Consider the following questions:
- Who should be able to create and destroy ArcGIS Server sites using my Amazon account?
- Who should be able to log in to my EC2 instances to install new software or directly administer the server?
- What computers should be able to discover my server once it is running on EC2, and for which purposes?
- Who should be able to connect to my site as a user, publisher, or administrator?
- Are there some users who need to be allowed access to certain services and denied access to others?
- Will my web applications require a login?
You'll need to understand and use a variety of security techniques to make a secure solution that answers all the above questions in a satisfactory way. This topic describes how you could approach each.
Secure your cloud administration environment
Amazon Identity and Access Management (IAM) allows you to manage groups of users who have various levels of permissions to your AWS account. Before you can log in to Cloud Builder, you must use IAM to create at least one user with access to your account. You will then need to download the Access Key and Secret Access Key associated with that user. When you first log in to Cloud Builder, you can decide whether to save these keys or require them at every login.
Advanced administration of ArcGIS Server on Amazon Web Services is performed using the AWS Management Console. You must log in to the console with your Amazon account name and password before you can launch or terminate EC2 instances, configure Amazon Elastic Load Balancers (ELBs) and Elastic IPs, and perform other administrative functions of the virtual environment. Logging in also lets you view your account activity and billing information.
Only share your Amazon account name, password, Access Keys, and Secret Access Keys with a small number of people in your organization who understand how to properly launch, edit, and terminate resources using the Cloud Builder or AWS Management Console. Allowing widespread access to untrained personnel makes your deployment vulnerable to severe system disruption and excessive charges on your account. These types of problems may ultimately be more damaging than an assault from an external hacker.
Amazon offers an optional layer of protection for the AWS Management Console beyond your account name and password. This option, AWS Multi-Factor Authentication, requires you to have a six-digit code generated by a small hardware device in your possession. The code frequently changes, such that if a malicious user were to obtain your account name and password, he or she would still not be able to log in to the AWS Management Console.
Secure instance administration
Logging in to the Cloud Builder or AWS Management Console is just one aspect of ArcGIS server administration on Amazon EC2. Another part of setting up your cloud deployment is logging in to your EC2 instances to transfer data and configure GIS services and applications.
You initially log in to your Windows EC2 instance as the machine administrator, using a randomly generated password that you retrieve using your key pair file. Keep your key pair file in a secure location. Then, the first time you log in to the instance, you should change the password to something easier to remember. It is not secure to write down the password or store it in clear text somewhere on your local machine.
Tip:
Consider choosing a password that corresponds to the Windows Server 2012 complexity requirements, which include the following:
- Passwords should not contain the user's account name or parts of the user's full name that exceed two consecutive characters.
- Passwords should be at least eight characters in length.
- Passwords should contain characters from three of the following four
categories:
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Nonalphanumeric characters (for example, !, $, #, %)
Once you've logged in to the instance, you can optionally use Windows tools to define nonadministrative users who can log in.
Secure instances against outside attacks
All EC2 instances use a firewall to protect against inappropriate or unknown outside access. You configure the firewall by creating security groups and opening access to a range of IP addresses, ports, and protocols on each group. Every time you launch a new EC2 instance, you need to specify which security group the instance will belong to.
By default, new security groups have no access allowed. At a minimum, you need to allow remote desktop access and HTTP access to log in to your EC2 instance and test your server. See Open an Amazon EC2 security group for ArcGIS for Server for instructions. Also, see Common security group configurations for ideas of security group settings that are appropriate for ArcGIS Server on Amazon Web Services.
When you use ArcGIS Server Cloud Builder on Amazon Web Services to create a site, a security group is created and configured for you. The necessary ports are opened on the security group to allow the site to function, but if needed you can use the AWS Management Console to fine-tune the settings of this security group. For example, if you want to log in to one of the instances using Windows Remote Desktop, you need to open port 3389.
The Amazon Security Center contains white papers and best practice documents for designing a secure architecture for EC2. These guidelines are applicable to ArcGIS Server on Amazon Web Services.
Secure GIS web applications and services
Access to your web services and applications is managed through the same security mechanisms that you use with ArcGIS Server outside Amazon EC2. These are described in the ArcGIS Help book Securing your ArcGIS Server site.
The Security tab of ArcGIS Server Manager helps you configure users and roles and choose which users and roles have access to your services. ArcGIS Server has a built-in user and role store that can be an attractive option on a cloud-based site that cannot reach user stores on your local network.