Security in AWS OpsWorks Configuration Management (CM) - AWS OpsWorks

Security in AWS OpsWorks Configuration Management (CM)

Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations.

Security is a shared responsibility between AWS and you. The shared responsibility model describes this as security of the cloud and security in the cloud:

  • Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the AWS compliance programs. To learn about the compliance programs that apply to AWS OpsWorks CM, see AWS Services in Scope by Compliance Program.

  • Security in the cloud – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations.

This documentation helps you understand how to apply the shared responsibility model when using AWS OpsWorks CM. The following topics show you how to configure AWS OpsWorks CM to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your AWS OpsWorks CM resources.

Data Encryption

AWS OpsWorks CM encrypts server backups and communication between authorized AWS users and their AWS OpsWorks CM servers. However, the root Amazon EBS volumes of AWS OpsWorks CM servers are not encrypted.

Encryption at Rest

AWS OpsWorks CM server backups are encrypted. However, the root Amazon EBS volumes of AWS OpsWorks CM servers are not encrypted. This is not user-configurable.

Encryption in Transit

AWS OpsWorks CM uses HTTP with TLS encryption. AWS OpsWorks CM defaults to self-signed certificates to provision and manage servers, if no signed certificate is provided by users. We recommend that you use a certificate signed by a certificate authority (CA).

Key Management

AWS Key Management Service customer managed keys and AWS managed keys are not currently supported by AWS OpsWorks CM.

Internetwork Traffic Privacy

AWS OpsWorks CM uses the same transmission security protocols generally used by AWS: HTTPS, or HTTP with TLS encryption.

Logging and Monitoring in AWS OpsWorks CM

AWS OpsWorks CM logs all API actions to CloudTrail. For more information, see the following topics:

Configuration and Vulnerability Analysis in AWS OpsWorks CM

AWS OpsWorks CM performs periodic kernel and security updates to the operating system that is running on your AWS OpsWorks CM server. Users can set a window of time for automatic updates to occur for up to two weeks from the current date. AWS OpsWorks CM pushes automatic updates of Chef and Puppet Enterprise minor versions. For more information about configuring updates for AWS OpsWorks for Chef Automate, see System Maintenance (Chef) in this guide. For more information about configuring updates for OpsWorks for Puppet Enterprise, see System Maintenance (Puppet) in this guide.

Security Best Practices for AWS OpsWorks CM

AWS OpsWorks CM, like all AWS services, offers security features to consider as you develop and implement your own security policies. The following best practices are general guidelines and don’t represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful considerations rather than prescriptions.

  • Secure your Starter Kit and downloaded login credentials. When you create a new AWS OpsWorks CM server or download a new Starter Kit and credentials from the AWS OpsWorks CM console, store these items in a secure location that requires at least one factor of authentication at minimum. The credentials provide administrator-level access to your server.

  • Secure your configuration code. Secure your Chef or Puppet configuration code (cookbooks and modules) using recommended protocols for your source repositories. For example, you can restrict permissions to repositories in AWS CodeCommit, or follow guidelines on the GitHub website for securing GitHub repositories.

  • Use CA-signed certificates to connect to nodes. Although you can use self-signed certificates when you are registering or bootstrapping nodes on your AWS OpsWorks CM server, as a best practice, use CA-signed certificates. We recommend that you use a certificate signed by a certificate authority (CA).

  • Do not share Chef or Puppet management console sign-in credentials with other users. An administrator should create separate user accounts for each user of the Chef or Puppet console websites.

  • Configure automatic backups and system maintenance updates. Configuring automatic maintenance updates on your AWS OpsWorks CM server helps ensure that your server is running the most current security-related operating system updates. Configuring automatic backups helps ease disaster recovery and speed restoration time in the event of an incident or failure. Limit access to the Amazon S3 bucket that stores your AWS OpsWorks CM server backups; do not grant access to Everyone. Grant read or write access to other users individually as needed, or create a security group in IAM for those users, and assign access to the security group.