Security - Scale-Out Computing on AWS

Security

When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared model can reduce your operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. For more information about security on AWS, visit the AWS Security Center.

Security Groups

The security groups created in this solution are designed to control and isolate network traffic between the Amazon Virtual Private Cloud's (Amazon VPC) for the scheduler and compute components. We recommend that you review the security groups and further restrict access as needed.

Upload an SSL Certificate for the User Interface

The deployed UI uses HTTPS with an Application Load Balancer endpoint. Use the following procedure to update or install certificates:

  1. In the AWS Management console, navigate to AWS Certificate Manager.

  2. In the certificate drop-down, select the applicable certificate, select Actions. Then, select Reimport Certificate.

  3. In the applicable certificate, enter the Body, Private Key, and Chain Certificate. Then, select Review to verify the entry is valid

  4. Copy the Certificate ID. Note that we recommend binding the Certificate ID to the ALB. For more information, see Upload your SSL certificate.

  5. After five minutes, verify your endpoint by using your new SSL certificate.

Integrate with existing LDAP directory

With Amazon Cognito, your users can sign in to the web user interface automatically (without the need for a password). They can use social identity providers, such as Google, Facebook, and Amazon, or enterprise identity providers, such as Microsoft Active Directory using SAML. For instructions to enable SSO authentication to the web interface, see What is Scale-Out Computing on AWS? in the Scale-Out Computing on AWS Knowledge Base.

Note

This solution uses an OpenLDAP service to manage user accounts. We recommend enabling a connection to an external LDAP directory with encryption (LDAPS).