Amazon EC2 Security Groups¶
Setup¶
Install fwunit with the aws
tag:
pip install fwunit[aws]
Set up your ~/.boto
with an account that has access to EC2 and VPC
administrative information.
In your source configuration, include dynamic_subnets
listing the names or
id’s of all dynamic subnets (see below). Also include a regions
field
listing the regions in which you have hosts.
You can include the credentials for an IAM user in the configuration. If this
is omitted, boto’s normal credential search process will apply, including
searching ~/.boto
and instance role credentials.
my_aws_stuff:
type: aws
output: my_aws_stuff.pkl
dynamic_subnets: [workers]
regions: [us-east-1, us-west-1]
credentials:
access_key: "ACCESS KEY"
secret_key: "SECRET KEY"
Security Policy¶
The user accessing Amazon should have the following security policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
}
]
}
Assumptions¶
This processing makes some assumptions about your EC2 layout. These worked for us in Mozilla Releng, but may not work for you.
- Network ACLs are not in use
- All traffic is contained in subnets in one or more VPCs.
- Each subnet is either per-host or dynamic, as described below.
- All traffic from unoccupied IPs in per-host subnets is implicitly permitted.
- Subnets with the same name are configured identically. Such subnets are often configured to achieve AZ/region separation.
The Release Engineering AWS environment contains two types of instances, which
always appear in different subnets. Long-lived instances sit at a single IP
for a long time, acting like traditional servers. The subnets holding such
instances are considered “per-host” subnets, and the destination IPs for
fwunit
rules are determined by examining the IP addresses and security groups
of the instances in the subnets. All traffic to IPs not assigned to an
instance is implicitly denied.
The instances that perform build, test, and release tasks are transient, created and destroyed as economics and load warrant. Subnets containing such instances are considered “dynamic”, and a security group that applies to any instance in the subnet is assumed to apply to the subnet’s entire CIDR block. This means that these subnets must contain at least one active host.