Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54467

Evergreen AWS flavor security hardening

    XMLWordPrintable

    Details

    • Sprint:
      Evergreen - Milestone 2
    • Similar Issues:

      Description

      Problem statement

      I have provisioned an aws-flavoured Evergreen instance on our AWS company account.
      Our mighty Caleb Tennis, from the OPS team, saw scans from various locations on the ports of this instance.
      We just had a meeting and Caleb had a few recommendations to make the installation more secure.

      Expected

      Overall reminder/caveat: we can clearly do much better in terms of security. But we have to find the right balance between the additional complexity each item would add, and the level of simplicity we want to offer for Evergreen users.

      Sorted by criticality below.

      Port 8080

      We have the HTTP port enabled by default and no HTTPS. We should likely add an ELB and configure HTTPS OOTB.
      Caveat: an ELB costs additional money (34$ base price, higher depending on the load). So we need to see how much more precisely and make this optional or not. This could end up being wasteful if a user plans to put/configure an existing and secure reverse proxy in front of a new Evergreen instance.

      Port 22

      This is probably not a big deal, but it would be nice if we can open/close it down on demand. (By modifying the security group?).

      Main caveat again: this makes using Evergreen slightly more complex.

      Port 50000

      This one, though currently disabled at the Jenkins level, is also a potential vector of attack.
      We could limit access to it to agents from the same AWS account, but it would probably severely limit what users can do if they want to connect an existing agent manually in addition to the dynamically provisioned EC2 agents.

        Attachments

          Activity

          Hide
          imod Dominik Bartholdi added a comment -

          I think JENKINS-54633 - install evergreen in a dedicated VPC, is a first step into this direction

          Show
          imod Dominik Bartholdi added a comment - I think JENKINS-54633 - install evergreen in a dedicated VPC, is a first step into this direction

            People

            • Assignee:
              Unassigned
              Reporter:
              batmat Baptiste Mathus
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: