nobeastsofierce - Fotolia


AWS OpsWorks automates configuration security

Automating configuration and change management with AWS OpsWorks can help admins ensure consistency and security for cloud-based apps.

Securing an IT platform can seem like an endless task. There are no silver bullets for protecting data and applications, so when you find something that works, stick with it. Automating at least some aspects of configuration security is one step toward this peace of mind. AWS OpsWorks gives admins the option to standardize configurations for cloud-based applications.

OpsWorks automates server management tasks, such as starting instances, deploying applications, patching code, and installing packages and libraries. It allows IT teams to run Chef configuration-management scripts or custom Bash scripts. Admins can also organize resources into stacks, layers and applications, enabling them to more easily visualize and manage complex, distributed systems.

Stacks, which are the highest level of abstraction, contain Elastic Compute Cloud (EC2) instances, layers and applications. Users and permissions also are specified in reference to stacks. Layers organize sets of related EC2 instances and other resources, such as Elastic Block Storage volumes. Layers are typically defined around a functional service, such as a database or cache service.

EC2 instances are assigned to particular layers and require the usual configuration, such as OS specification, security groups, IP address and more. OpsWorks deploys apps to EC2 instances by retrieving code from one of several repositories, such as Git or Secure Storage Service.

OpsWorks can help maintain consistent security configurations in the following ways:

  • Standardizes on hardened OS images
  • Installs security patches
  • Assists with SSH access control
  • Manages users

When deploying servers, it's best to minimize the number of services and daemons running on the instance. But when manually configuring and deploying instances, it's easy to miss a service started by a daemon such as inetd. Administrator activity logging could be disabled and a firewall port could be misconfigured by mistake. Using standardized and tested scripts to configure the OS can mitigate these risks.

AWS OpsWorks uploads the latest patches after initial setup and booting. Patching after the application is deployed and running could disrupt operations, so system managers must decide the best time to apply patches after the initial installation. One way to keep an application patched properly is to start new instances and add them to the layers. Then you can delete older instances. If this model doesn't fit with the organization's application architecture, you can run OpsWorks Update Dependencies stack command.

Controlling stack access with AWS OpsWorks

System administrators and developers often need to log into instances to issue commands. SSH, which is the preferred method for remote access to instances, typically uses key pairs for authentication. The AWS Management Console lets administrators create key pairs and run the public key to EC2 instances while installing the private key to a local device. But because only one key pair is allowed on each instance, multiple users will need a copy of the private key to access the same EC2 instance. And this increases the risk for compromise.

With AWS OpsWorks, however, the EC2 systems' OS maintains a file of authorized public keys; admins can edit the file manually. Alternatively, when administrators define stacks, they specify users who will have access to instances. OpsWorks will install the public key, as well as keys of other authorized users.

OpsWorks uses four permissions to control access to stacks: show, deploy, manage and deny.

  • Show allows users to view a stack but not perform other operations.
  • Deploy enables users to deploy and update stacks.
  • Manage is granted to users who need to add layers, alter instances and manipulate user permissions. Cloud administrators can implement more granular controls using identity and access management policies, if needed.
  • Deny does not allow users to access the stack.

Securing a distributed application is a multifaceted challenge. Automating configuration and update operations with OpsWorks can eliminate inconsistencies in application policies and procedures.

About the author:
Dan Sullivan holds a Master of Science degree and is an author, systems architect and consultant with more than 20 years of IT experience. He has had engagements in advanced analytics, systems architecture, database design, enterprise security and business intelligence. He has worked in a broad range of industries, including financial services, manufacturing, pharmaceuticals, software development, government, retail and education. Dan has written extensively about topics that range from data warehousing, cloud computing and advanced analytics to security management, collaboration and text mining.

Next Steps

How to automate application installation with AWS OpsWorks

More on how AWS streamlines cloud resources

Dig Deeper on AWS security