Security

Deployment User

For the deployment you will need an IAM user with access to the Management Console and the following permissions:

  • Launch CloudFormation templates

  • Create the following objects or services:

    • EC2 Launch Templates, EC2 Security Groups, and Auto-Scaling Groups

    • RDS DB Subnet Groups, DB Instances, and Event Subscriptions

    • EFS File Systems and Mount Targets

    • ELB Load Balancer, Target Groups, and Listener

    • CloudWatch Log Groups and Alarms

    • SNS Topics

    And permissions to create the following objects or services optionally:

    • IAM Roles, Instance Profiles, and Policies

    • Certificates

    • VPC Endpoint Services and Endpoints

    • Route 53 Record Set Groups

By all practical means this will be an IAM User with the policy AdministratorAccess assigned either directly or via an IAM Group (recommended).

If you do not already have one defined, please perform the following steps:

  1. Create a new IAM user (e.g. Avantra-deployment-user) as described in Creating an IAM User in Your AWS Account

  2. Create a new IAM Group (e.g. Avantra-deployment-group) as described in Creating IAM Groups

  3. Attach the Managed Policy AdministratorAccess to the recently created IAM Group as described in Attaching a Policy to an IAM Group

  4. Add the user created in Step 1 to the group created in Step 2 as described in Adding and Removing Users in an IAM Group

Instance Profile

The EC2 instance installed with Avantra for AWS needs a certain amount of permissions to interact with other AWS services:

The AWS Cloud​Formation template provided by Avantra for AWS can automatically create the IAM role and an IAM instance profile containing the required permission. It also adds the permission for the EC2 instance to be managed by the AWS Systems Manager, and assigns the IAM instance profile to the EC2 instance (or more exactly: to the Launch Template).

The permissions options are recommended (but not necessarily required) and will be added automatically by the AWS Cloud​Formation template:

  • Permissions to list all available EC2 instances in order ty synchronize these instances with the Avantra inventory.

  • Permissions to start and stop EC2 instances in order to allow Avantra to start or stop them manually, scheduled, event based, or within automation actions.

  • Permissions to publish SMS messages using Amazon Simple Notification Service.

  • Permissions to copy RDS Snapshots to a different AWS region.

  • Permissions to sync data with an Amazon S3 bucket.

In case you do not have the permissions to create an IAM Role, an IAM Policy, or an IAM Instance Profile, you need to find someone with the required permission to do it for you. The following steps are required:

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Roles  Create role.

  3. In the Select type of trusted entity section, choose AWS service and EC2 in Choose the service that will use this role. Choose Next: Permissions.

  4. In the Attach permissions policies section of the Create role page, push the Create policy] button. This opens a new browser tab loading the Create policy page.

  5. On the Create policy page open the tab JSON and paste the following into the field:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AllowCloudWatchLogWriting",
                "Effect": "Allow",
                "Action": [
                    "logs:CreateLogGroup",
                    "logs:CreateLogStream",
                    "logs:PutLogEvents",
                    "logs:DescribeLogStreams"
                ],
                "Resource": "arn:aws:logs:*:*:*"
            },
            {
                "Sid": "AllowElbHealthCheck",
                "Effect": "Allow",
                "Action": [
                    "elasticloadbalancing:DescribeTargetHealth"
                ],
                "Resource": "*"
            },
            {
                "Sid": "AllowDescribeEni",
                "Effect": "Allow",
                "Action": [
                    "ec2:DescribeNetworkInterfaces"
                ],
                "Resource": [
                    "*"
                ]
            },
            {
                "Sid": "AllowSgCreateIngressRule",
                "Effect": "Allow",
                "Action": [
                    "ec2:AuthorizeSecurityGroupIngress",
                    "ec2:DescribeSecurityGroups"
                ],
                "Resource": [
                    "*"
                ]
            },
            {
                "Sid": "AllowStartStopInstances",
                "Effect": "Allow",
                "Action": [
                    "ec2:StartInstances",
                    "ec2:StopInstances"
                ],
                "Resource": "arn:aws:ec2:*:*:instance/*"
            },
            {
                "Sid": "AllowDescribeInstances",
                "Effect": "Allow",
                "Action": [
                    "ec2:DescribeInstances",
                    "ec2:DescribeInstanceStatus"
                ],
                "Resource": "*"
            },
            {
                "Sid": "AllowSendSms",
                "Effect": "Allow",
                "Action": [
                    "sns:SetSMSAttributes",
                    "sns:Publish"
                ],
                "Resource": "*"
            },
            {
                "Sid": "AllowListCopyDeleteDBSnapshots",
                "Effect": "Allow",
                "Action": [
                    "rds:DescribeDBSnapshots",
                    "rds:CopyDBSnapshot",
                    "rds:DeleteDBSnapshot"
                ],
                "Resource": [
                    "arn:aws:rds:*:*:snapshot:*",
                    "arn:aws:rds:*:*:db:*"
                ]
            },
            {
                "Sid": "AllowS3BucketSync",
                "Effect": "Allow",
                "Action": [
                    "s3:DeleteObject",
                    "s3:GetBucketLocation",
                    "s3:GetObject",
                    "s3:ListBucket",
                    "s3:PutObject"
                ],
                "Resource": [
                    "arn:aws:s3:::*"
                ]
            }
        ]
    }

    Push the Review policy button.

    If you do not want to send SMS using Amazon Simple Notification Service, you can remove the statement with id AllowSendSms. If you do not want to synchronize EC2 instances with the Avantra inventory, you can remove the statement with id AllowDescribeInstances. If you do not want to use start or stop functions within Avantra, you can remove the statement with id AllowStartStopInstances. If you do not want to cross-region copy RDS snapshots from the EC2 instance, you can remove the statement with id AllowListCopyDeleteDBSnapshots. If you do not want to sync files with Amazon S3, you can remove the statement AllowS3BucketSync.
  6. On the Create policy page fill in a Name, e.g. Avantra-iam-policy and push the Create policy button.

  7. Switch back to the Create role page and push the reload button.

  8. Set the flag the following Managed Profiles: AWSMarketplaceMeteringFullAccess and optionally (but recommended) AmazonEC2RoleforSSM.

  9. Click on Filter policies, set the flag next to Customer managed, and flag the policy you created above, e.g. Avantra-iam-policy.

  10. Push the Next: Tags button, fill in any required tags, and push the Next: Review button.

  11. Fill in a Role Name and push the Create button. THis will also create an instance profile with the same name.

Once you launch the AWS Cloud​Formation template you will be able to fill in the Instance Profile ARN of the instance profile created above.

SSH Key Pair

You need to have an SSH key pair generated and select it once the AWS Cloud​Formation template is launched. If you do not have one, please follow these instructions: Creating a Key Pair Using Amazon EC2

Security Groups

The AWS Cloud​Formation template delivered with Avantra for AWS adds the following Amazon EC2 Security Groups to protect the created resources (${NamePrefix} denotes a prefix parameter you have to fill in during launch of the template). See also Avantra for AWS Recommended Setup.

The particular definition of the Security Groups depend on the input parameters given in the launch template. You have the opportunity to place the Application Load Balancer as well as the Network Load Balancer in either public or private subnets. Also, for the Application Load Balancer you can choose the listener port, either 443 for HTTPS or port 80 for HTTP

Using HTTP is only supported if the Application Load Balancer is not internet-facing.

${NamePrefix}-alb-sg

Attached to

Application Load Balancer

Purpose

Allow access to the Avantra User Interface

Ports

80 or 443, 9058

Ingress IP Range

Based on your input parameter in the AWS Cloud​Formation template. Has to cover all IP addresses that users may use to connect to the Avantra User Interface.

Port 9058 is a service interface to the Avantra Master only available via HTTPS.

${NamePrefix}-instance-sg

Attached to

EC2 instance (more exactly: the EC2 Launch Template)

Purpose

Allow access to the Avantra User Interface and the Avantra Master service interface through the Application Load Balancer only; SSH access for a defined IP range; Avantra Master access for Avantra Agents of a given IP range

Ports

8080 or 8443 (depending on the listener Application Load Balancer listener port)

Ingress Security Group

${NamePrefix}-alb-sg

Port

22

Ingress IP Range

Based on your input parameter in the AWS Cloud​Formation template. The recommendation is to restrict this to the VPC itself, or to peered VPCs, or to connected on-premise networks.

Port

9050

Ingress IP Range

Based on your input parameter in the AWS Cloud​Formation template. The recommendation is to restrict this to the VPCs or connected on-premise networks you install Avantra Agents into.

During launch of the EC2 instance it modifies the security group to include the Network Load Balancer private IP addresses.

${NamePrefix}-rds-sg

Attached to

RDS instances

Purpose

Restrict access to the database to EC2 instances only.

Port

5432

Ingress Security Group

${NamePrefix}-instance-sg

${NamePrefix}-efs-sg

Attached to

EFS Mount Targets

Purpose

Restrict access to the Amazon EFS to EC2 instances only.

Port

5432

Ingress Security Group

${NamePrefix}-instance-sg

There is no such thing as a Security Group for a Network Load Balancer. Access is restricted by the Security Group of the target EC2 instance.

Security Groups for EC2 Instances running Avantra Agents

The Avantra Server connects to all Avantra Agents using TCP port 9051. Therefore you need to allow this traffic in the Security Groups of all Amazon EC2 Instances where you deploy the Avantra Agent to.

  • For EC2 instances in the same VPC as the Avantra Server use ${NamePrefix}-instance-sg as Ingress Security Group

  • For EC2 instances in a VPC connected by a VPN peering in the same region and the same account, use use ${NamePrefix}-instance-sg as Ingress Security Group also. Also, make sure you have routing configure properly and the network ACLs permit traffic between the Avantra Agents and the Avantra Server.

  • For EC2 instances in a VPC connected by a VPN peering in the same region and a different account, use use ${AWS::AccountId}/${NamePrefix}-instance-sg as Ingress Security Group. ${AWS::AccountId} hast to be the Account ID of the AWS account deploying Avantra for AWS. Also, make sure you have routing configure properly and the network ACLs permit traffic between the Avantra Agents and the Avantra Server.

  • For EC2 instances in a VPC connected by a VPN peering in a different AWS Region, use the CIDR block of the VPC running Avantra for AWS.

  • For on-premise servers, please refer to your operating system documentation.

For EC2 instances that connect to Avantra for AWS using an AWS PrivateLink you do not need to configure anything. These instances will not receive incoming traffic; instead the Avantra Agents will be configured to initiate and maintain a tunnel connection to the Avantra Server.

Email Notifications

Avantra allows you to send email notifications and requires you to configure an email server. You may use Amazone Simple Email Service for this purpose. Right now, the only supported way is Using the Amazon SES SMTP Interface to Send Email, so you have to follow the procedure in the linked document to create an SMTP user name and password.

SSL Certificate

In order to protect traffic to the Avantra UI by SSL, you need to provide a Certificate created by (or imported into) the AWS Certificate Manager. If you do not already have one, please follow Request a Public Certificate to request one, or follow Importing Certificates into AWS Certificate Manager to import one.