Devising a comprehensive security strategy on Amazon Elastic Compute Cloud (EC2) requires you to plan for security at different levels.
Access to your web services and applications is managed through the same security mechanisms that you use with ArcGIS Enterprise outside Amazon Elastic Compute Cloud. This is described in the ArcGIS Server and Portal for ArcGIS help.
In addition, there are security considerations specific to deploying in the cloud. The following sections describe some of the security considerations and approaches specific to deploying on Amazon Web Services (AWS).
Secure your cloud administration environment
You use AWS tools such as the AWS Management Console or AWS command line interface to perform advanced administration of your ArcGIS deployment on AWS. These administration tasks include but are not limited to configuring Amazon Elastic Load Balancers (ELBs) and Elastic IPs, creating Amazon Simple Storage Service (S3) buckets, and viewing your account activity and billing information.
Amazon recommends that you use Amazon Identity and Access Management (IAM) roles to manage groups of users who have various levels of permissions to your AWS account. Use IAM to create at least one user with access to your AWS account, and download the Access Key and Secret Access Key associated with that user. IAM roles are used in the following ArcGIS Enterprise workflows:
- Configure a highly available ArcGIS Server site.
- Configure a highly available portal.
- Store map and image service caches in S3.
Only share your Amazon account name, password, Access Keys, and Secret Access Keys with a small number of people in your organization who understand how to properly launch, edit, and terminate resources using AWS tools such as the Management Console, command line tools, or API. Allowing widespread access to untrained personnel makes your deployment vulnerable to severe system disruption and excessive charges on your account. These types of problems may ultimately be more damaging than an assault from an external hacker.
Amazon offers an optional layer of protection beyond your account name and password. This option, AWS Multi-Factor Authentication, requires you to have a six-digit code generated by a small hardware device in your possession. The code frequently changes, such that if a malicious user were to obtain your account name and password, he or she would still not be able to log in to your account from the AWS Management Console.
Secure instance administration
Managing your account and EC2 instances using AWS tools is just one aspect of ArcGIS administration on AWS. Another part of setting up your cloud deployment is logging in to your EC2 instances to authorize or upgrade software, run tools installed with ArcGIS Enterprise, transfer data, configure applications, and add logins.
You initially log in to Microsoft Windows EC2 instances as the machine administrator, using a randomly generated password that you retrieve using your key pair file. Keep your key pair file in a secure location. Then, the first time you log in to the instance, you should change the password to something easier to remember. It is not secure to write down the password or store it in clear text somewhere on your local machine.
Choose a password that meets to the Microsoft Windows Server complexity requirements, which include the following:
- Passwords should not contain the user's account name or parts of the user's full name that exceed two consecutive characters.
- Passwords should be at least eight characters in length.
- Passwords should contain characters from three of the following four
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Nonalphanumeric characters (for example, !, $, #, %)
Once you've logged in to the instance, you can use Windows tools to define nonadministrative users who can log in.
Secure instances against outside attacks
All EC2 instances use security groups to protect against inappropriate or unknown outside access. You need to configure the security groups to allow access to a range of IP addresses, ports, and protocols. Every time you launch a new EC2 instance, you need to specify to which security group the instance will belong, which will determine who can access the instance.
By default, new security groups have no access allowed. At a minimum, you need to allow remote access and HTTP access to log in to your EC2 instance and test your deployment. See Open an Amazon Elastic Compute Cloud security group for ArcGIS for instructions. Also, see Common security group configurations for ideas of security group settings that are appropriate for ArcGIS Enterprise on Amazon Web Services.
When you use Esri tools to deploy your site, a security group is created and configured for you. The necessary ports are opened on the security group to allow the site to function but, if needed, you can use AWS tools to fine-tune the settings of this security group. For example, if you want to log in to one of the instances using Windows Remote Desktop, you need to open port 3389.
AWS Cloud Security contains white papers and best practice documents for designing a secure architecture for EC2. These guidelines are applicable to ArcGIS Enterprise on Amazon Web Services.